There are two things to consider when using an Active Directory as the Kerberos realm that issues the AFS service ticket. First, the Kerberos v5 tickets issued by Active Directory can be quite large when compared to tickets issued by traditional UNIX KDCs due to the inclusion of Windows specific authorization data (the Microsoft PAC). If the issued tickets are larger than 344 bytes, OpenAFS 1.2.x servers will be unable to process them and will issue a RXKADBADTICKET error. OpenAFS 1.4 (and beyond) servers can support the largest tickets that Active Directory can issue.

Second, the Kerberos v5 tickets issued by Windows 2003 Active Directory are encrypted with the DES-CBC-MD5 encryption type (enctype). OpenAFS 1.2.x servers only support the DES-CBC-CRC enctype. As a result, OpenAFS 1.2.x servers cannot process the resulting Kerberos v5 tokens. Windows 2000 Active Directory issues tickets with the DES-CBC-CRC enctype. Windows Server 2008 R2 Active Directory domain by default disables use of DES-CBC-MD5 and it must be enabled.

Microsoft has documented in Knowledge Base article 832572 a new NO_AUTH_REQUIRED flag that can be set on the account mapped to the AFS service principal. When this flag is set, the PAC authorization data will not be included in the ticket. Setting this flag is recommended for all accounts that are associated with non-Windows services and that do not understand the authorization data stored in the PAC. This flag cannot be used if AFS service tickets are obtained via cross-realm using an Active Directory user principal.

Note that an Active Directory computer object cannot be used for the afs service principal. A user object must be used.

Starting with Windows 7 and Windows Server 2008 R2, Microsoft has disabled the single DES encryption types,TechNet: Changes in Kerberos Authentication. DES must be enabled via Group Policy in order for Active Directory to be used as a KDC for OpenAFS. Enable weak encryption becuase of AFS... Start > Administrative Tools > Group Policy Management Expand Forest > Domains > (domain name) > Group Policy Objects > Default Domain Policy Right-click "Default Domain Policy" and select "Edit" Expand "Computer Configuration" > "Policies" > "Windows Settings” > "Security Settings” > "Local Policies” > "Security Options” Double click "Network security: Configure encryption types allowed for Kerberos” Select "Define this policy setting", then select "DES_CBC_CRC" and all the others... Press "OK"