Active Directory Kerberos Interoperability And Pass-Through Authentication

The U-M Active Directory (UMROOT) forest supports interoperability with the U-M Kerberos service. Each Active Directory (AD) domain functions as a Kerberos realm, providing a common authentication mechanism between AD and Kerberos.

What Is Pass-Through Authentication?

Active Directory and Kerberos interoperability at U-M can be used to create a single-signon environment. This allows a user to log on once with their uniqname and UMICH (Level-1) password and access resources protected by AD and Kerberos. This is referred to as pass-through authentication when used on an AD-connected Windows computer at U-M.

How Pass-Through Authentication Works

The Kerberos realm resides at the top of a "trust path," which creates a one-way chain of transitive trust from an AD domain in the U-M forest to the U-M Kerberos realm. The Kerberos trust path starts at the domain to which the Windows client computer belongs (UMICH), "passes through" the AD forest root domain (UMROOT), and ends at the Kerberos realm (UMICH.EDU). AD at U-M trusts U-M Kerberos, but the reverse is not true. This one-way trust protects the U-M Kerberos database from security problems that may arise in the AD forest.

Setting Up Pass-Through Authentication

See: Using Pass-Through Authentication on Windows, or contact your unit's IT staff for assistance.