Welcome Services Getting Started Support and Tools Documentation  
 
 

Cross-Realm Abatement

Updated 11/15/2007

 

  
 

After January 7, 2008, The CalNetAD team will no longer be supporting cross-realm authentication with the MIT KDC (BERKELEY.EDU). A domain wide GPO (Campus – Remove BERKELEY.EDU cross-realm) is available to remove Windows 2000/XP registry keys that point to the MIT Kerberos Realm. OU administrators should start to test this GPO in their environment as soon as possible, as OU administrators are expected to apply this GPO to their OU structure prior to December 20. Most importantly, OU administrators will need to educate their user population in regards to user credentials:

  • The "BERKELEY.EDU (Kerberos Realm)" drop down in the Windows logon GUI will no longer be present
  • "username@BERKELEY.EDU" will still be valid, however
  • Users can also select "CAMPUS" from the drop down menu

The registry script used by the GPO is available via the following link for non-joined machines:  http://calnetad.berkeley.edu/documentation/scripts/norealm.reg

After January 7, student employees will no longer be able to access CalNetAD resources with their employee IDs.  However, the student ID will still work.

Below is a step by step guide detailing how to perform this change:

  • In order to link a GPO to your OU, you need to have downloaded and installed the Group Policy Management Console (GPMC).  If you don’t have this, you can get it from this link:  http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
  • Click on START, Administrative Tools, Then RIGHT CLICK on “Group Policy Management”

start

 

right click

  • The following dialog box will appear.

runas

  • Click on the “The following user” radio button and fill in your OU Admin logon
    Use the format:  campus\"ou admin id"  (replace “ou admin id” with your valid logon minus the quotes).
  • When the GPMC opens, click on the “plus” sign to expand the forest.

forest

  • In this example, the IST OU has been selected. The ASD unit is the target to receive the new GPO. Expand the OU by clicking on the "plug" sign.

asd

plus

  • Right click on the folder where you want to link the GPO, and then click on “Link an Existing GPO …”

  • You should be presented with the dialog box “Select GPO”. Scroll down to the GPO you wish to link to your OU.

select

  • Select the “Campus – Remove BERKELEY.EDU cross-realm” GPO.

crossrealm

  • The policy now displays in the "Campus - Remove BERKELEY.EDU cross-realm" GPO.

highlight

For more information on how to administer group policy with GPMC, please see the following Technet article.

  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
Contact Us