On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote:

> Does anyone actually have GSS-TSIG working with an Active Directory? I see 
> plenty of posts from people trying to get it to work. I have yet to see 
> anyone who claims to actually have it working. Did MS change something in 
> 2008r2 since GSS-TSIG was implemented in bind to make it inoperable?

Right after GSS-TSIG appeared I built a lab for the purpose of demonstrating 
and documenting a working setup.

That lab contained a couple of W2k3 servers, XP clients and BIND servers 
running on FreeBSD. I went from bare iron to a working W2k domain using 
BIND+GSS-TSIG exclusively for name service.

As I recall I did the initial population of the zone used for the W2k domain 
without security enabled, ie: I informed the Windows machine that the BIND 
server was to be used and configured the BIND server to allow updates from the 
Windows server on the basis of its IP address, then ran dcpromo.exe to create 
the domain, then did the necessary Kerberos bits, then locked down the BIND 
server to henceforth accept only GSS-TSIG authenticated updates.

I haven't touched this stuff since though, so I have nothing to say about how 
it might work with contemporary Windows and BIND versions.

bind-users mailing list

Reply via email to