You must consider the following issues related to interoperability
with Windows 2000 implementations.
Database
Considerations |
 |
Your network can contain more than one server, but there is
only one master copy of the database that is propagated to all secondary
servers. In a Windows 2000 Kerberos implementation, an enterprise
can contain more than one domain controller, and each domain controller
contains a writable copy of the database. Therefore, the two Kerberos implementations
cannot share the same database.
You cannot propagate database entries between Kerberos Servers
and Windows 2000 domain controllers. Do not attempt to set a Windows
2000 domain controller as a secondary server to a Kerberos primary
server, or vice versa.
Encryption
Considerations |
|
In the Kerberos authentication protocol, critical information
is never sent in clear text, over the network. Instead it is encrypted
using a specified algorithm. Although HP's Kerberos Server
supports 3DES encryption, Windows 2000 requires DES encryption when
it interoperates with other Kerberos implementations. Thus, principals
in these realms who must access resources in Window 2000 domains
must use a DES key type.
Postdated
Tickets |
|
While the Kerberos server and client supports postdated tickets,
the Windows 2000 domain controller and client do not. If you use
postdated tickets to run batch procedures over time, be sure the
procedure does not need access to Windows 2000 services.
Printable version
