Problem with cross realm trust and udp between AD and MIT

James kerberos at memberships.rfc527.org
Wed Jun 23 13:09:45 EDT 2004 

Hey Russ!

It *may* be sufficient to set:

	HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\MYREALM

This is a dword, and the bit you need set is 0x02

See:

	http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/regentry/95141.asp

Best,

J.

/* 
 * Also Sprach Russell Shapiro (2004-06-23 04:05:29 -0700):
 * 
 * Thanks for your response. I don't see the /SetRealmFlags on my version
 * of KSETUP? Do I need a specific version? Here are the switches I see:
 * 
 * ksetup /?
 * 
 * USAGE:
 * /SetRealm DnsDomainName -- set name of RFC1510 Kerberos Realm
 * /MapUser Principal Account -- Map Kerberos Principal to account (* =
 * any/all)
 * /AddKdc RealmName KdcName -- add additional KDC address for the given
 * realm
 * /DelKdc RealmName KdcName -- delete instance(s) of KDC address for the
 * realm
 * /AddKpasswd Realmname KpasswdName -- Add Kpasswd server address for a
 * realm
 * /DelKpasswd Realmname KpasswdName -- Delete Kpasswd server address for
 * a realm
 * /Server Servername -- specify name of a Windows 2000 machine to target
 * changes
 * /SetComputerPassword Password -- set the local machine's password
 * /Domain DomainName -- use this domain (blank for domain in your
 * logged-on domain
 * )
 * /ChangePassword OldPasswd NewPasswd -- change logged-on user's
 * password via Kpassword
 * 
 * Thanks,
 * Russell
 * 
 * 
 * Jeffrey Altman <jaltman2 at nyc.rr.com> wrote in message news:<40D90970.1040804 at nyc.rr.com>...
 * > Have you turned on TCP support on the MIT KDC?
 * > 
 * > You need to use MIT KDC 1.3.x; turn on TCP support; and
 * > set the TcpSupported flag on the MIT realm with KSETUP.
 * > 
 * > Jeffrey Altman
 * > 
 * > 
 * > Russell Shapiro wrote:
 * > > I have a one way trust between AD KDC and MIT KDC, where MIT trusts
 * > > AD. This seems to mostly work where windows clients can retrieve MIT
 * > > service tickets. There are some windows accounts, however, where I
 * > > believe there are too many groups which causes problems. When trying
 * > > to get a service ticket from the MIT KDC with one of these windows
 * > > accts I get the following error message in the MIT kdc log:
 * > > 
 * > > ASN.1 encoding ended unexpectedly - while dispatching (udp)
 * > > 
 * > > We have tcp enabled for the MIT KDC but it seems that the windows
 * > > client only ever tries udp, which I'm assuming is too small for the
 * > > request based on the error message. It may be that we missed something
 * > > in the configuration of the MIT KDC so that it will tell the windows
 * > > client to try tcp instead? I set the MaxPacketSize to 1 on the windows
 * > > client to try and force tcp but that doesn't seem to work to the MIT
 * > > KDC. Is there anything we need to set to make sure that the request
 * > > will come over tcp, if that is, in fact, our problem? Any suggestions
 * > > or help on resolving this would be most appreciated. Ideally we
 * > > wouldn't even send the PAC data in the request to the MIT KDC but it
 * > > isn't clear that can be done either. Anu suggestions? Thanks in
 * > > advance.
 * ________________________________________________
 * Kerberos mailing list           Kerberos at mit.edu
 * https://mailman.mit.edu/mailman/listinfo/kerberos
 * 
 */

More information about the Kerberos mailing list