Lara, I am trying to refresh my memory since I had to perform the same steps while rebuilding our test environment a while back. Basically, we had to do it in 2 steps in the order listed below.
1. Create and import a custom ADM template that predefines the Kerberos REALM key in the registry. This insures that the REALM name is created in UPPERCASE. If you try doing this in SCEREGVL.INF file, the realm name is created, but in lowercase. Proceed to step 2 once the registry key has been propagated. 2. Edit the SCEREGVL.INF file and add the specific entries for your KERBEROS realm. Once you reload the file, the settings will show up under the Computer Configuration node within Windows Settings\Security Settings\Local Policies\Security Options. I have added the sample ADM file and entries for the Security Configuration Editor file below. Also, if you haven't already, you may also want to look at the NSA Windows 2000 Security Configuration guides at: http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1 I hope this helps. Arden ***************ADM FILE*************************************** Class MACHINE Category !!AdministrativeServices Category !!Kerberos Policy !!SetRealmFlags Keyname "System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM" Explain !!SetRealmFlags_Help Part !!RealmFlags Numeric Required Valuename "RealmFlags" Default 8 End Part End Policy End Category ;;Kerberos End Category ;;AdministrativeServices [strings] AdministrativeServices="System" Kerberos="Kerberos RealmFlags" RealmFlags="RealmFlags value" SetRealmFlags="Set YOURREALM.COM Kerberos RealmFlags variable" SetRealmFlags_Help="Creates the realm name variable key for YOURREALM.COM and allows referrals to work properly.\n\nThis key is created to allow the security policy defining the KDC mappings for the realm to have the proper realm name variable in the registry.\n\nThe value set here (RealmFlags) allows proper referrals from the MIT-based Kerberos realm. See http://www.citi.umich.edu/u/kwc/krb5stuff/referral.html"; ;End of Strings **************SCEREGVL.INF file******************************** [Register Registry Values] ; Kerberos ; ============================================================================ ====== ; http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95146.htm ; http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95141.htm MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ KpasswdNames,7,%Kpasswd%,4 MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ KdcNames,7,%Knames%,4 ; ============================================================================ ====== [Strings] ; =============================== YOURREALM ========================================= Kpasswd = "Kerberos: YOURREALM.COM realm Change Password Protocol Servers (YOURREALM)" Knames = "Kerberos: YOURREALM.COM realm KDC servers (YOURREALM)" > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto > Sent: Wednesday, April 14, 2004 1:53 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Using Security Configuration Template > instead of Ksetup... > > Hello, > > In 'Step-by-step Guide to Kerberos 5 Interoperability' > document, it is stated as follows: > "To deploy realm configuration data to multiple computers, > use the security configuration template mechanism instead of > using Ksetup explicitly on individual computers" > > Is there any good document / howto about how to use security > configuration template to achieve the same results as ksetup ? > > I've been reading some of microsoft knowledge articles such > as: How to add custom registry settings to security > configuration editor, how to create custom administrative > templates in windows 2000, etc..but I haven't got a clear > picture of how it can be done using security configuration template. > > This is the part that I don't understand: > "Once the Sceregvl.inf file has been modified and registered, > your custom registry values are exposed in the SCM UI's on > that machine. You can then create security templates or > policies that define your new registry values. These > templates or policies can then be applied to any machine > regardless of whether Sceregvl.inf has been modified on the > target machine or not." (taken from Microsoft's article: How > to add custom registry settings to security configuration > editor). Is SCM the same as security configuration tool and analysis ? > > Well...from reading the article, my guess is that I will need > to update sceregvl.inf, register the changes by doing > 'regsvr32 scecli.dll', and also change the group policy. > > Anyway, I've tried to update sceregvl.inf but it didn't work > :-( The changes didn't seem to be reflected in the registry > editor as what usually happen using ksetup. > > -lara- > > ===== > -------------------------------------------------------------- > ---------------------- > La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit > > - Guy de Maupassant - > -------------------------------------------------------------- > ---------------------- > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Tax Center - File online by April 15th > http://taxes.yahoo.com/filing.html > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
