The resulting TGT tickets use a proprietary authorization data format. There was a big flamefest on this issue, though KerberosDCE^? also uses the V5 ticket's authorization data field to store group membership data, the details of Microsoft's format was murky. It is now documented by a paper which essentially requires you to agree to never use the information if you read it, making it similarly useless.

NathanNeulinger^? has used Windows 2000 to provide authentication for AFS. See his message to OpenAFSInfo for details.

DouglasEngert^? posted some details on doing this including a pointer to gsiklog which uses GSSAPI to get an K4/AFS token.

More from Douglas in the same thread.

I suppose this means krb524d must share knowledge of the key used to encrypt the K5 token. How, in practice, does one share such a key with active directory?

You get a key from the W2K much like you get a key for a host. Its just for afs/cell@REALM. The MS documents talk about how to do thisfor a host. The process of adding the afs/cell@realm can output a keytab file, or it can print the key on the screen.

You can then use the MIT ktutil addent -key to add this to a keytab file.

-- TedAnderson - 23 Jan 2002
-- DerrickBrashear - 24 Jan 2002 added the information about the paper.
-- TedAnderson - 18,22 Mar 2002 added Engert pointer.

See KerberosV, KerberosDCE^?, WindowsRoamingProfiles.