The underlying mechanism of creating a user mapping is setting a single attribute in the Active Directory. This attribute is called "altSecurityIdentifier" and is assigned a value of "Kerberos:username@REALM".
To create a mapping the way Microsoft intended it, run Active Directory Users and Computers found in the Administrative Tools on every domain controller. Right-click on the user whose account you would like to map and choose Name Mappings...
If you don't see Name Mappings... on the pop-up menu you first have to select Advanced Features from the View menu.
A dialog box appears. On the first tab you can map a certificate to this user for remote access authentication for example. We are interested in the second tab labeled Kerberos Names.
Assuming you don't have any existing mappings, click Add... In the box that opens, type in a principal name in the format username@REALM. Make sure that the name of the realm is written in capital letters.
Now, click OK to close this box. Click OK to close the Security Identity Mapping window. That's it!
Oh, wait. While this is an easy way to add or change the mapping for a few users, imagine doing that for a hundred users, a thousand.
Microsoft provides a way to automate this function. It's called Active Directory Service Interfaces (ADSI) and can be used in the Windows Scripting Host. While very powerful, I found it lacks a certain level of functionality and user-friendliness. I needed visual feedback at the very least.
Charon Migration Wizard is a fast and easy way to map tens of thousands of users to their Kerberos accounts while providing additional functionality.
