Kerberos authentication issues authentication tickets,
which the system uses in a similar manner to private-key authentication.
Ticket processing involves retrieving a key from a KDC (Key Distribution
Center). Kerberos uses reverse DNS (Domain Name System) to find the
referenced Key Distribution Center. You must specify a reverse DNS
entry for both the client and station DNS servers. Otherwise, users
are unable to acquire Kerberos tickets and log in.
This procedure documents how to configure both a PC client
and station to access a KDC. While modifying the hosts file is simple enough for a single station, and can be useful for
testing your Kerberos setup, this approach can be tedious and prone
to error when dealing with multiple stations and multiple client machines.
Setting up DNS servers with reverse DNS entries is the recommended
best practice.
- Contact your IT administrator to see if the appropriate
entry exists on the LDAP server.
If you do not have a workable reverse DNS entry, you may configure
an entry in the
hosts file on each client PC
and station. This entry maps the IP address of the Key Distribution
Center.
Note: Configuring mapping in the hosts file is acceptable for testing purposes, but is not recommended
on a production system where the site is live and many people need
to access it. It is important to note that having the proper DNS entries
is far more desirable than modifying hosts files. If you find that
the DNS entries do not already exist, request that your IT administrator
add them.
On Windows PCs, the hosts file is located at C:\Windows\System32\drivers\etc\hosts.
On Linux hosts it is located
at: /etc/hosts.
- Add the following entry in your client hosts file:
nnn.nnn.nnn.nnn kdc.domain.netwhere nnn.nnn.nnn.nnn is the IP address of
the KDC and kdc.domain.net is the domain name.
- On each platform, use the platform TCP/IP Configuration view (or equivalent view on the station’s TcpIpPlatformService) to access and edit the hosts file with the
same entry.