Setting Up Pass-Through Authentication on Windows

Contents

Required Conditions For Pass-Through Authentication

These conditions must be met before pass-through logons will complete successfully:

  • The Windows computer must be a member of a domain in the U-M Active Directory (AD) forest. The computer can be in the production or test forests.
  • Pass-through authentication only works with uniqname accounts, it does not work with other AD accounts, such as departmental administrative accounts.
  • The AD user object to be used for pass-through logons must be mapped to the U-M Kerberos UMICH.EDU realm. All centrally maintained AD user accounts in the UMROOT domain include a Kerberos mapping of the user to the UMICH.EDU realm.
  • The AD user account needs to reside in a domain that is included in a trust path between the Kerberos realm (UMICH.EDU) and the resource (computer) domain. All centrally maintained AD user accounts in UMROOT are guaranteed to be in the Kerberos trust path. Windows user accounts that reside in the same domain as the computer also define a correct trust path. If an AD user object resides in one AD domain tree (for example ad.engin.umich.edu), but the computer used to logon is in another domain tree (for example adsroot.itcs.umich.edu), the trust path may not include the domain of the user, and pass-through might fail.
  • The trust path must traverse the forest root domain, UMROOT. This should automatically be the case for objects in the U-M AD forest because all trust to the UMICH.EDU realm flows through the forest root domain, UMROOT.

Configuring Windows Computers for Pass-Through Authentication

To use pass-through authentication on Windows computers connecting to U-M AD domains, the following settings must be applied. Settings can be applied manually or through automated processes.

  1. Enable the following setting in Group Policy for the Organizational Unit (OU) where your workstations will receive the policy:
    Computer Configuration > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon
  2. Make the following registry settings either manually or using this registry (.reg) file. The file should be saved with a .reg extension. It can be run manually or used in automated processes. Remember to reboot systems after applying new registry settings. 
    All settings need to be made in the registry in: 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\UMICH.EDU]
    Key: Type: Value:
    RealmFlags DWORD 8
    KPasswdNames MULTI_SZ

    kerberos.umich.edu

    kerberos-1.umich.edu

    kerberos-2.umich.edu

    kerberos-3.umich.edu

    KdcNames MULTI_SZ

    kerberos.umich.edu

    kerberos-1.umich.edu

    Kerberos-3.umich.edu

Accessing File Shares with Kerberos Pass-Through

Users can access AD file shares using pass-through authentication on workstations they have logged into using their uniqname and UMICH (Level-1) password. File shares can be mapped to a drive manually, or by group policy, or with logon scripts.

Users who wish to map a drive manually need to:

  • Enter UMICH.EDU\uniqname for the user name, using caps for UMICH.EDU and replacing uniqname with their individual uniqname.
  • Enter their UMICH (Level-1) password when prompted for a password.

Troubleshooting Tips

  • If the DNS suffix of your Windows workstation is different from the AD domain name of the computer, you must set the Primary DNS suffix to match the AD domain name.
  • If two AD domains in the trust path both contain the same mapped principal name, the account in the domain that is closest to the Kerberos realm is the one that will be used. This is a result of Kerberos referrals discovering AD resources in order from the Kerberos realm down to the resource domain.
Last Updated: 
Friday, June 14, 2019