The following settings are found in the following location in the Group Policy Management Console:
Computer Configuration\Administrative Templates\System\Kerberos
Policy: Define host name-to-Kerberos realm mappings
This policy setting lets you specify the DNS host names and the DNS suffixes that are mapped to a Kerberos realm.
If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes that are mapped to a Kerberos realm as defined by Group Policy.
If you disable this policy setting, the host name-to-Kerberos realm mappings list that Group Policy defines is deleted.
If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if the realm mappings exist.
To view the list of mappings, enable the policy setting, and then click
Show.
To add a mapping, follow these steps:
- Enable the policy setting.
- Note the syntax, and then click Show.
- Click Add, and then enter a realm name, the list of DNS host names, and the DNS suffixes by using the syntax that you noted in step 2.
To remove a mapping, click the mapping entry, and then click
Remove.
To edit a mapping, remove the current entry from the list, and then add a new mapping that has different parameters.
Policy: Define interoperable Kerberos version 5 realm settings
This policy setting configures the Kerberos client so that the client can authenticate with interoperable Kerberos version 5 realms, as defined by this policy setting.
If you enable this policy setting, you can view and change the list of interoperable Kerberos version 5 realms and their settings.
If you disable this policy setting, the interoperable Kerberos version 5 realm settings that Group Policy defines are deleted.
If you do not configure this policy setting, the system uses the interoperable Kerberos version 5 realm settings that are defined in the local registry, if the realm settings exist.
To view the list of interoperable Kerberos version 5 realms, enable the policy setting, and then click
Show.
To add an interoperable Kerberos version 5 realm, follow these steps:
- Enable the policy setting.
- Note the syntax, and then click Show.
- Click Add, enter the interoperable Kerberos version 5 realm name in the Value Name box, and then type the definition of settings in the Value box. Use the syntax that you noted in step 2.
To remove an interoperable Kerberos version 5 realm, click the Kerberos version 5 entry, and then click
Remove.
To edit a mapping, remove the current entry from the list, and then add a new mapping that has different parameters.
Policy: Require strict KDC validation
This policy setting controls the Kerberos client's behavior when the client validates the Key Distribution Center (KDC) certificate.
If you enable this policy setting:
- The Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions.
- The Kerberos client requires that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain.
- If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a certification authority in the NTAUTH store.
- If the computer is not joined to a domain, the Kerberos client allows for the root certification authority certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions.