Define interoperable Kerberos V5 realm settings

This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting.

If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.

If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.

If you do not configure this policy setting, the system will use the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.

Supported on: At least Windows Vista

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos
Value NameMitRealms_Enabled
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Define interoperable Kerberos V5 realm settings:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms
Value Name{number}
Value TypeREG_SZ
Default Value

Syntax:

Enter the interoperable Kerberos V5 realm name as the Value Name.

Enter the realm flags and the host names of the KDCs as

the Value. Enclose the realm flags with the following

tags <f> </f>. Enclose the list of KDCs with the tags <k> </k>

To add multiple KDC names, separate entries with

a semi-colon ";".

Example:

Value Name: TEST.COM

Value: <f>0x00000004</f><k>kdc1.test.com; kdc2.test.com</k>

Another Example:

Value Name: REALM.FABRIKAM.COM

Value: <f>0x0000000E</f>


kerberos.admx

Administrative Templates (Computers)

Administrative Templates (Users)