|
|
|
Until now, computers running the Windows operating system that use Active Directory to authenticate Penn State Access Accounts have used a local registry setting in order to find the names of the MIT Kerberos 5 Key Distribution Center (KDC) servers. The Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\dce.psu.edu contains a value called KdcNames, which is a list of KDCs to use for the Kerberos protocol (in hexidecimal UTF-16 format). Windows uses the first KDC on that list for all of its Kerberos communication. This creates a performance issue and does not evenly distribute the load between the three current KDCs. The current way of adding records to the registry also makes it difficult to add or replace a KDC should it be necessary to do so in the future.
In order to improve the situation, ASET has recently put Kerberos DNS SRV records in place that will help eliminate the two issues noted above. These SRV records are rotated in round-robin order by the DNS protocol, which distributes the load evenly among the KDCs. This helps with providing optimal performance and reliability. By being a centrally controlled setting, this also permits easy additions, deletions or replacement of KDCs in the future.
In order to make this work, the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\dce.psu.edu and value RealmFlags of type REG_DWORD should still be present, with the latter set to 8; however, the value KdcNames should no longer be present; by removing it, Windows will try to find the KDCs via DNS. The presence of the key is what sets the dce.psu.edu realm name to appear in the drop down box. The value RealmFlags, which is set to 8, allows Kerberos referrals to work properly.
A script has been written to handle automated creation of the key and RealmFlags value for computers as they are added to Active Directory. It also removes the KdcNames value as needed from machines that already have the registry setting. It can be found here as ksetup-srv.vbs. This script has been added as a startup script to the PSU-Kerb-Setup GPO in the ACCESS domain. Feel free to link this GPO to your OU and test the addition/removal of the registry entries. You also may download the updated psuksetup.reg file if you wish to manually add the key. While the registry file will add the correct registry entries, it will not delete the old KdcNames value and is only meant for fresh installations into the domain.
To take advantage of DNS SRV records for Penn State Access Account authentication in Active Directory, choose one of the following options:
Link to PSU-Kerb-Setup GPO in the ACCESS domain.
This will execute the ksetup-srv.vbs script mentioned below every time a machine is started/restarted.
Download: ksetup-srv.vbs - for automated editing of the registry:
for new computers to AD
for computers that had the old registry setting
Download: psuksetup.reg - an updated registry key for manual addition to new computers.
NOTE: Does not update computers with the old setting.
The Pennsylvania State University ©2007. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Academic Services and Emerging Technologies, a unit of Information Technology Services.
Problem reports and requests for assistance should be directed to ITS Help Desk staff.
Last revised: Friday, August 31, 2007.