General discussion


Security Solutions: Native-mode Kerberos

By discussion ·
In this week's Security Solutions TechMail column, Mike Mullins addresses the Kerberos authentication scheme for Microsoft Windows 2000 native-mode domains. Have you had problems implementing Kerberos authentication? Share your comments here.

Here is the link to the Microsoft resource mentioned in Michael Mullins' column:

- HOW TO: Enable Kerberos Event Logging (262177):;en-us;262177

*Remember to remove any spaces before pasting this link into your browser.
If you'd like to learn more about the Security Solutions TechMail, point to this link and click Security Solutions to see a sample. If you're interested, you can also sign up:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

What about Kerberos V for Unix?

by felipe_alfaro In reply to Security Solutions: Nativ ...

This is an interesting article, but as always, makes the
assumption the whole world is running on Windows.
However, there are more OS in the world, for example
Solaris, NetBSD, FreeBSD, OpenBSD, GNU/Linux,
HP/UX, AIX, QNC, BeOS, etc.

Itwould be interesting to see articles on how to install,
configure and use Kerberos on Unix-like platforms, for
example, GNU/Linux or *BSD. I could even write such an

I have recently deployed Kerberos V on my LAN. All the
machines are running GNU/Linux and OpenSSH (with its
proper Kerberos support) so I can log on to my workstation
and access all other hosts remotely using SSH without
needing to specify my password. This is single-sign on
came true, and when combined with OpenLDAP, it's
roughly equivalent to Active Directory.

Collapse -

Native mode client requirements

by Joshua1 In reply to Security Solutions: Nativ ...

I think this article contains an error, or at least a source of confusion. It seems to say that Native mode is only if all your clients & servers are W2k or higher, which is true of Kereberos, but not of Native mode. Native/Mixed refers to the presence of NT BDC's.
From the article:
Windows 2000 domains can operate in either mixed mode (contains pre-Win2K clients or servers) or native mode (all Win2K or greater clients and servers).

Native mode means you can't run NT Domain Controllers, but you can still run older clients & member servers.

From Windows & .Net magazine (
"native mode doesn?t support NT domain controllers; you can only have Win2K domain controllers. However, you can have NT workstations and member servers in native mode."

If I'm incorrect, please clarify the client requirements of Native mode.

I'm running a Mixed mode w/ mostly NT 4.0 clients, some W2k pro, and a few 9x machines. My servers are all on W2k and I'm preparing to move to Native.

Collapse -

by IT-Matters In reply to Native mode client requir ...

I agree with you in that if the aritcle is not an error, then it is confusing. You are correct in that all domain controlers must be W2K in order to go native. We ran in mixed mode for a few months until we upgraded all our DCs W2K. We then went native without a hitch.

Collapse -

I agree cont...

by IT-Matters In reply to

P.S. We still have a few NT clients (after going native) and they authenticate fine.

Collapse -

by Joshua1 In reply to I agree cont...

That's my biggest fear (the clients). I have almost all NT 4.0 clients. I come across articles like this that seem to say you can't go native w/ older clients and it makes me nervous about pulling the trigger.

I'm always keeping a lookout for other people's experiences w/ switching to Native. Seems to go smoothly, though.

Collapse -


by Mike Mullins In reply to Native mode client requir ...

The part about native mode, was specific to native mode authentication. If all of the clients and servers in the authentication puzzle are Win2k or higher, then "native mode authentication - Kerberos" occurs.

I think we all realize that Native mode as MS puts it, means no NT BDC/PDCs in the same forest. Thanks for the question.

Collapse -

Check your facts

by turtletnt In reply to Security Solutions: Nativ ...

For one thing, DNS operates on UDP port 53, not TCP as stated in the article.

Someone Has already pointed out that only domain controllers need to be 2k or better to switch to native mode.

Perhaps this would be a better post in the paper mcse category.

Collapse -

Check your facts on DNS

by Mike Mullins In reply to Check your facts

DNS will operate on UDP or TCP and the prefered method within a Native domain is tcp. It all comes down to how many bytes a udp packet can take.

If you'd like more indepth information on windows dns over tcp, you can get it from Q179442. In a previous newsletter, I covered the change in DNS protocol that occurred in the newer versions of bind and the benefits of using tcp rather than udp.

Thanks for the question.

Related Discussions

Related Forums