The easier way to get work the Captive Portal authenticating the users of a Microsoft Active Directory domain is to add the domain as “External Kerberos 5 Realm”.
In this manner, you have not to add the shared Kerberos keys to establish the trust relationship.
In any case, either you configure an “External Kerberos 5 Realm” or a “Trusted Kerberos 5 Realm”, you don’t need to create the user principals in the Zeroshell’s Kerberos KDC.
Don’t forget that Zeroshell must be able to locate the Active Directory Kerberos 5 KDC. In order to make this possible, you just have to add, in the section [Kerberos 5]->[Realms], the Active Directory realm and the IP or FQDN hostname of at least one of the Active Directory domain controller (any domain controller runs a Kerberos KDC). This step is not needed if the DNS is correctly configured and you have set the option “Use the DNS to discovery Realms and KDC servers not ” to yes in the [Kerberos 5]->[Realms] section. In this case, Zeroshell uses the SRV service locator resource, automatically configured in the Active Directory’s DNS, to get the KDC’s IP address.