As of Windows NT version 5.0, normally known by the name Windows 2000, the domain controller (aka ActiveDirectory) uses ?KerberosV for authentication.

The resulting TGT tickets use a proprietary authorization data format. There was a big flamefest on this issue, though ?KerberosDCE also uses the V5 ticket's authorization data field to store group membership data, the details of Microsoft's format was murky. It is now documented by a paper which essentially requires you to agree to never use the information if you read it, making it similarly useless.

Nathan Neulinger has used Windows 2000 to provide authentication for AFS. See his message to ?OpenAFSInfo for details.

Douglas Engert posted some details on doing this including a pointer to gsiklog which uses GSSAPI to get an K4/AFS token.

More from Douglas in the same thread.

I suppose this means krb524d must share knowledge of the key used to encrypt the K5 token. How, in practice, does one share such a key with active directory?

You get a key from the ?W2K much like you get a key for a host. Its just for afs/cell@REALM. The MS documents talk about how to do thisfor a host. The process of adding the afs/cell@realm can output a keytab file, or it can print the key on the screen.

You can then use the MIT ktutil addent -key to add this to a keytab file.

-- Ted Anderson - 23 Jan 2002
-- Derrick Brashear - 24 Jan 2002 added the information about the paper.
-- Ted Anderson - 18,22 Mar 2002 added Engert pointer.

See ?KerberosV, ?KerberosDCE, ?WindowsRoamingProfiles.