General discussion

  • Creator
  • #2305536

    Security Solutions: Native-mode Kerberos


    by discussion ·

    In this week’s Security Solutions TechMail column, Mike Mullins addresses the Kerberos authentication scheme for Microsoft Windows 2000 native-mode domains. Have you had problems implementing Kerberos authentication? Share your comments here.

    Here is the link to the Microsoft resource mentioned in Michael Mullins’ column:

    – HOW TO: Enable Kerberos Event Logging (262177):;en-us;262177

    *Remember to remove any spaces before pasting this link into your browser.
    If you’d like to learn more about the Security Solutions TechMail, point to this link and click Security Solutions to see a sample. If you’re interested, you can also sign up:

All Comments

  • Author
    • #3359346

      What about Kerberos V for Unix?

      by felipe_alfaro ·

      In reply to Security Solutions: Native-mode Kerberos

      This is an interesting article, but as always, makes the
      assumption the whole world is running on Windows.
      However, there are more OS in the world, for example
      Solaris, NetBSD, FreeBSD, OpenBSD, GNU/Linux,
      HP/UX, AIX, QNC, BeOS, etc.

      Itwould be interesting to see articles on how to install,
      configure and use Kerberos on Unix-like platforms, for
      example, GNU/Linux or *BSD. I could even write such an

      I have recently deployed Kerberos V on my LAN. All the
      machines are running GNU/Linux and OpenSSH (with its
      proper Kerberos support) so I can log on to my workstation
      and access all other hosts remotely using SSH without
      needing to specify my password. This is single-sign on
      came true, and when combined with OpenLDAP, it’s
      roughly equivalent to Active Directory.

    • #3359309

      Native mode client requirements

      by joshua1 ·

      In reply to Security Solutions: Native-mode Kerberos

      I think this article contains an error, or at least a source of confusion. It seems to say that Native mode is only if all your clients & servers are W2k or higher, which is true of Kereberos, but not of Native mode. Native/Mixed refers to the presence of NT BDC’s.
      From the article:
      Windows 2000 domains can operate in either mixed mode (contains pre-Win2K clients or servers) or native mode (all Win2K or greater clients and servers).

      Native mode means you can’t run NT Domain Controllers, but you can still run older clients & member servers.

      From Windows & .Net magazine (
      “native mode doesn?t support NT domain controllers; you can only have Win2K domain controllers. However, you can have NT workstations and member servers in native mode.”

      If I’m incorrect, please clarify the client requirements of Native mode.

      I’m running a Mixed mode w/ mostly NT 4.0 clients, some W2k pro, and a few 9x machines. My servers are all on W2k and I’m preparing to move to Native.

      • #3357836

        Reply To: Security Solutions: Native-mode Kerberos

        by it-matters ·

        In reply to Native mode client requirements

        I agree with you in that if the aritcle is not an error, then it is confusing. You are correct in that all domain controlers must be W2K in order to go native. We ran in mixed mode for a few months until we upgraded all our DCs W2K. We then went native without a hitch.

        • #3357833

          I agree cont…

          by it-matters ·

          In reply to Reply To: Security Solutions: Native-mode Kerberos

          P.S. We still have a few NT clients (after going native) and they authenticate fine.

        • #3357721

          Reply To: Security Solutions: Native-mode Kerberos

          by joshua1 ·

          In reply to I agree cont…

          That’s my biggest fear (the clients). I have almost all NT 4.0 clients. I come across articles like this that seem to say you can’t go native w/ older clients and it makes me nervous about pulling the trigger.

          I’m always keeping a lookout for other people’s experiences w/ switching to Native. Seems to go smoothly, though.

      • #3533180


        by mike mullins ·

        In reply to Native mode client requirements

        The part about native mode, was specific to native mode authentication. If all of the clients and servers in the authentication puzzle are Win2k or higher, then “native mode authentication – Kerberos” occurs.

        I think we all realize that Native mode as MS puts it, means no NT BDC/PDCs in the same forest. Thanks for the question.

    • #3357822

      Check your facts

      by turtletnt ·

      In reply to Security Solutions: Native-mode Kerberos

      For one thing, DNS operates on UDP port 53, not TCP as stated in the article.

      Someone Has already pointed out that only domain controllers need to be 2k or better to switch to native mode.

      Perhaps this would be a better post in the paper mcse category.

      • #3533176

        Check your facts on DNS

        by mike mullins ·

        In reply to Check your facts

        DNS will operate on UDP or TCP and the prefered method within a Native domain is tcp. It all comes down to how many bytes a udp packet can take.

        If you’d like more indepth information on windows dns over tcp, you can get it from Q179442. In a previous newsletter, I covered the change in DNS protocol that occurred in the newer versions of bind and the benefits of using tcp rather than udp.

        Thanks for the question.

Viewing 2 reply threads