Ksetup:listrealmflags
Applies To: Windows Server 2008 R2, Windows Server 2012, Windows 8
Lists the available realm flags that can be reported by ksetup. For examples of how this command can be used, see Examples.
Syntax
ksetup /listrealmflags
Parameters
None
Remarks
The realm flags specify additional features of a non-Windows-based Kerberos realm. Computers that are running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 can use a non-Windows-based Kerberos server to administer authentication instead of using a domain that is running a Windows Server operating system. These systems participate in a Kerberos realm instead of a Windows domain. This entry establishes the features of the realm. The following table describes each.
Value |
Realm flag |
Description |
|---|---|---|
0xF |
All |
All realm flags are set. |
0x00 |
None |
No realm flags are set, and no additional features are enabled. |
0x01 |
SendAddress |
The IP address will be included within the ticket-granting tickets. |
0x02 |
TcpSupported |
The Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) are supported in this realm. |
0x04 |
Delegate |
Everyone in this realm is trusted for delegation. |
0x08 |
NcSupported |
This realm supports name canonicalization, which allows for DNS and realm naming standards. |
0x80 |
RC4 |
This realm supports RC4 encryption to enable cross-realm trust, which allows for the use of TLS. |
Realm flags are stored in the registry in **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\**Realm-name. This entry does not exist in the registry by default. You can use the Ksetup:addrealmflags command to populate the registry.
Examples
List the known realm flags on this computer:
ksetup /listrealmflags
Set the available realm flags that Ksetup does not know by typing either of the following commands at the command line:
ksetup /setrealmflags CORP.CONTOSO.COM sendaddress tcpsupported delete ncsupported
ksetup /setrealmflags CORP.CONTOSO.COM 0xF