GSS-TSIG and Active Directory

Dave Knight dave at knig.ht
Thu Sep 30 21:24:09 UTC 2010


On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote:

> Does anyone actually have GSS-TSIG working with an Active Directory? I see plenty of posts from people trying to get it to work. I have yet to see anyone who claims to actually have it working. Did MS change something in 2008r2 since GSS-TSIG was implemented in bind to make it inoperable?

Right after GSS-TSIG appeared I built a lab for the purpose of demonstrating and documenting a working setup.

That lab contained a couple of W2k3 servers, XP clients and BIND servers running on FreeBSD. I went from bare iron to a working W2k domain using BIND+GSS-TSIG exclusively for name service.

As I recall I did the initial population of the zone used for the W2k domain without security enabled, ie: I informed the Windows machine that the BIND server was to be used and configured the BIND server to allow updates from the Windows server on the basis of its IP address, then ran dcpromo.exe to create the domain, then did the necessary Kerberos bits, then locked down the BIND server to henceforth accept only GSS-TSIG authenticated updates.

I haven't touched this stuff since though, so I have nothing to say about how it might work with contemporary Windows and BIND versions.

dave


More information about the bind-users mailing list