Define host name-to-Kerberos realm mappings

This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.

If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.

If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.

If you do not configure this policy setting, the system will use the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.

Supported on: At least Windows Vista

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos
Value Namedomain_realm_Enabled
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Define host name-to-realm mappings:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm
Value Name{number}
Value TypeREG_SZ
Default Value

Syntax:

Enter the Kerberos realm name as the Value Name.

Enter the host names and DNS suffixes, that you want to

map to the Kerberos realm, as the Value. To add multiple

names, separate entries with ";".

Note: To specify a DNS suffix preceed the entry with a '.' period.

For a host name entry do not specify a leading '.' period.

Example:

Value Name: MICROSOFT.COM

Value: .microsoft.com; .ms.com; computer1.fabrikam.com;

In the example above. All principals with either the DNS suffix

of *.microsoft.com or *.ms.com will be mapped to the

MICROSOFT.COM Kerberos realm. In addition the host name

computer1.fabrikam.com will also be mapped to the

MICROSOFT.COM Kerberos realm.


kerberos.admx

Administrative Templates (Computers)

Administrative Templates (Users)