Setting up a client PC for Kerberos
For any computer to access (as a client) a station that supports Kerberos authentication, you must update a Kerberos configuration
file (
krb5) in the PC with the default realm and define which flags to set on acquired tickets. (Kerberos authentication requires the
ability to acquire Kerberos tickets that can be forwarded.) In addition, you must update the Windows registry.
- In
- In the Basic Krb5 Conf Editor view, click the
Forwardablecheckbox to set the property value to “true” and click the toolbar icon to save your change, as shown here.
NOTE: If your Kerberos setup requires a more advancedkrb5.confconfiguration, you can manually configure the file using the Advanced Krb5 Conf Editor view, located under the View dropdown list, as shown here.Also, if you are working with Linux, some systems may require a more advanced krb5.conf file. If that is the case, have your Kerberos administrator set-up this file for you.
- If your PC is running Windows XP SP2 or later, and you would like to access your native Kerberos ticket, you must set a registry
key to allow Java to access the ticket.
- Before setting a registry key, back up your Windows registry.
- To set the key, start the registry editor ( and enter regedit) and add or edit the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Value name: AllowTgtSessionKeyValue type: REG_DWORDValue: 0x01If configuring Windows XP, add or edit this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value name: AllTgtSessionKeyValue type: REG_DWORDValue: 0x01
NOTE: If necessary, you can return to the default Windows security setting by changing the value of this registry key to zero (0).
On completion of this procedure, you have successfully updated the Kerberos configuration file (
krb5.conf) and set up a registery key in the PC.