We're using a cross-realm trust at our site to authenticate users in a Windows 7/Server 2008R2 environment as documented at http://social.technet.microsoft.com/wiki/contents/articles/2751.kerberos-interoperability-step-by-step-guide-for-windows-server-2003.aspx This is convenient for us as all our users already have KDC principals in our MIT KDC we use for our unix infrastructure. We recently found our Windows clients were authenticating to our secondary KDC (second KDC in the list of KDCs for the authentication realm where the users exist) rather than using the primary KDC in the list. The kerberos realms are defined in the "KdcNames" key under HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\<domainname> Is there a way to define both KDCs and assign a preference to one or the other? John

Hi John, As far as I know, there are no settings to configure KDCs preference on Windows side. Here are some more information: Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability http://technet.microsoft.com/en-us/library/bb742433.aspx Windows Server 2008 Group Policy settings for interoperability with non-Microsoft Kerberos realms http://support.microsoft.com/kb/947706/en-us If you need further assistance, Id like to recommend you contact Microsoft Customer Support and Service (CSS) directly. The support professionals who are familiar with both Unix and AD domain will be able to assist you better. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS Regards, Bruce

Hi John, As far as I know, there are no settings to configure KDCs preference on Windows side. Here are some more information: Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability http://technet.microsoft.com/en-us/library/bb742433.aspx Windows Server 2008 Group Policy settings for interoperability with non-Microsoft Kerberos realms http://support.microsoft.com/kb/947706/en-us If you need further assistance, Id like to recommend you contact Microsoft Customer Support and Service (CSS) directly. The support professionals who are familiar with both Unix and AD domain will be able to assist you better. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS Regards, Bruce

That's what I was afraid of. Yes, I've looked at the documentation for interoperability with non-Microsoft kerberos realms, and I wasn't able to find anything on KDC preference there anyway. Thanks for getting back to us.