Authored by: Anil Kumar Sekhara & Ashish Kumar
This AppNote describes the process of logging in to a Windows XP member machine with Novell KDC credentials, using Interoperability between Novell KDC and Microsoft KDC (Active Directory).
Objective
The objective is to log in to a Windows machine that is part of an Active Directory Domain, using credentials of a user principal in a Novell KDC realm. Cross-realm trust is used between Active Directory and Novell KDC.
This AppNote will explain how to configure cross-realm trust between Active Directory and Novell KDC, so that any Novell KDC user should be able to log in into domain member machine of Active Directory.
Prerequisite
Novell KDC1.5 and Active Directory (with Windows 2003 Server) should be installed and be able to contact each other.
Establishing Cross-Realm Trust
A cross-realm trust is established between the Novell KDC realm and Active Directory so that Novell KDC users are authorized for access to resources inside of the Active Directory domain. Also, because users can log in to member machines of the Active Directory domain, they can access Windows services seamlessly.
The basic steps in the setup process are described below.
Step 1: Provide the Name and Location of the NKDC Server
The Windows XP machine should know the name and location of the NKDC server in order authenticate to NKDC (as the user belongs to NKDC realm). For this, information must be stored in the Windows registry. The ksetup utility is used, which comes with the Windows Support Tools available on the Windows CD.
1. Run the ksetup utility at the command prompt, as shown below:
ksetup.exe /addkdc NKDC_REALM_NAME machineNameOfNovellKDC
An example run is shown in Figure 1.
Figure 1 – Adding an NKDC realm
Step 2: Reboot the Windows XP Machine
Reboot the Windows XP machine (a domain member) for the registry entries to take effect. Newly added Novell KDC information is inserted into the registry at ?HKEY_LOCAL_MACHINE\system\currentControlSet\Control\Lsa\Kerberos\Domains? as shown in Figure 2.
Figure 2 – Registry info for NKDC
Step 3: Establish Cross-Realm Trust between Active Directory and the Novell KDC Realm
Note: The password chosen for cross-realm trust must be same on both Active Directory (configured on Windows 2003 Server) and NKDC while creating cross-realm trust. This is the shared secret between Novell KDC and Active Directory.
NKDC Server Configuration
1. Add the following two krbtgt principals using kadmin.local with encryption type as des:normal
krbtgt/NKDC_REALM@AD-DOMAIN-NAME krbtgt/AD-DOMAIN-NAME@NKDC_REALM
Example:
st-nf-cli-185:/opt/novell/kerberos/sbin # kadmin.local Authenticating as principal administrator/admin@CERT1.COM with password. kadmin.local: addprinc -e des:normal krbtgt/CERT1.COM@NKDC185.com WARNING: no policy specified for krbtgt/CERT1.COM@NKDC185.com; defaulting to no policy Enter password for principal "krbtgt/CERT1.COM@NKDC185.com": Re-enter password for principal "krbtgt/CERT1.COM@NKDC185.com": Principal "krbtgt/CERT1.COM@NKDC185.com" created. kadmin.local: addprinc -e des:normal krbtgt/NKDC185.com@CERT1.COM WARNING: no policy specified for krbtgt/NKDC185.com@CERT1.COM; defaulting to no policy Enter password for principal "krbtgt/NKDC185.com@CERT1.COM": Re-enter password for principal "krbtgt/NKDC185.com@CERT1.COM": Principal "krbtgt/NKDC185.com@CERT1.COM" created.
Win2K3 Server (AD) Configuration
1. Log in to Windows 2003 server, using an account that has Domain Administrator privileges.
2. Open Active Directory domain and trusts by clicking Start > Programs > Administrative Tools > Active Directory Domains and Trusts.
3. Right-click on Domain and select Properties.
4. Add the Novell KDC Realm to be trusted by Active Directory by clicking on Trusts and then New Trust, as shown in Figure 3.
Figure 3 – cert1.com Properties
Then complete the steps as shown in Figures 4-13 below.
Figure 4 – New Trust Wizard
Figure 5 – cert1.com Properties
Figure 6 – New Trust Wizard
Figure 7 – Trust Name
Figure 8 – Trust Type
Figure 9 – Direction of Trust
Note: While setting the password for the trusted domain under “Domains trusted by this domain” on the AD server, use the same password associated with the krbtgt/CERT1.COM @NKDC185.com principal created in NKDC, using kadmin.local.
Figure 10 – Trust Password
Figure 11 – Trust Selections Complete
Figure 12 – Completing the New Trust Wizard
Once the trusted domain is added, it should be displayed as shown in Figure 13.
Figure 13 – cert1.com Properties
Note: By default, the trust setup using the above method is transitive, which means that child domain members of Active Directory can also authenticate against Novell KDC. This trust can be marked as non-transitive in the Active Directory server using the netdom tool (available with the Microsoft Support Tools) as follows:
C:\Program Files\Support Tools> netdom TRUST CERT1.COM /Domain:NKDC185.com /Transitive:no
Step 4: Create a User Principal
Create a user principal that will be used to log in to the member machine of AD, using kadmin.local in the Novell KDC.
Example:
st-nf-cli-185:/etc/init.d # kadmin.local Authenticating as principal administrator/admin@CERT1.COM with password. kadmin.local: addprinc userinNKDC WARNING: no policy specified for userinNKDC@NKDC185.com; defaulting to no policy Enter password for principal "userinNKDC@NKDC185.com": Re-enter password for principal "userinNKDC@NKDC185.com": Principal "userinNKDC@NKDC185.com" created.
Step 5: Map an AD User to a Novell KDC User
Map an existing Active Directory user to a Novell KDC user principal created in Step 4, on the Active Directory server. This mapping provides an authentication relationship between the user in the Novell KDC realm and the user identity in Active Directory. You can do this through the Active Directory Users and Computers tool as follows:
1. Open the Active Directory Users and Computers tool (Start > Programs > Adminstrative Tools > Active Directory Users and Computers).
2. Ensure that the Advanced Features menu item is checked in the View menu, as shown in Figure 14.
Figure 14 – Selecting Advanced Features
3. Locate the Active Directory user account to which the Novell KDC user principal should be mapped.
4. Right-click the username and select the Name mapping tab.
5. Click Add.
6. Specify the name of the Novell KDC user principal.
7. Click OK.
Figure 15 – Security Identity Mapping
Step 6: Completing the Login Process
In the Windows XP domain member machine, the windows Login screen Novell KDC realm should be shown in the “Log on to” dropdown box.
1. Enter the User principal credentials of the Novell KDC realm.
2. Select the Novell KDC Realm.
3. Click on Login.
Authentication should be successful, and the user should be able to log in to the Windows XP machine using the Novell KDC user principal credentials.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.