Cross Realm authentication error

Dain Ridnouer dain1155 at hotmail.com
Mon Oct 28 10:16:53 EST 2002 

I am trying to set up a cross realm environment between a Microsoft KDC and 
a KDC running in the Unix environment and keep getting "Authorization 
failed" when doing a kerberized telnet from the Microsoft side to Unix.  The 
Unix KDC runs the CyberSafe version of kerberos version 5.

Details:
Microsoft hostname: microkerb.org
Microsoft realm: MICROKERB.ORG
Unix hostname: kerbsrvt1.test.org
Unix Realm: UKREALM

I have read the Microsoft and CyberSafe interoperability papers and set up 
the appropriate trusts and user mappings between the 2 realms (I think).

When I log on an XP machine in the Microsoft realm I get the following 
tickets:

MICROKERB.ORG
|
|--  krbtgt/MICROKERB.ORG at MICROKERB.ORG
|--  krbtgt/MICROKERB.ORG at MICROKERB.ORG
|--  host/xpbox1.microkerb.org
|--  LDAP/mserver1.microkerb.org at MICROKERB.ORG
|--  ldap/mserver1.microkerb.org/microkerb.org at MICROKERB.ORG
|--  cifs/mserver1.microkerb.org at MICROKERB.ORG

I do the telnet and get the following messages when I turn on debugging:

-------------------------------------------------------------
Sent: WILL AUTHENTICATION
Sent: DO ENCRYPT
Sent: WILL ENCRYPT
Sent: WILL NAWS
Rcvd: DO AUTHENTICATION
Rcvd: SB AUTHENTICATION KERBEROS_V4 SERVER|MUTUAL KERBEROS_V5 SERVER|MUTUAL 
0 1 2 1 0
Rcvd: WILL ENCRYPT
Rcvd: DO ENCRYPT
Sent: WILL ENCRYPT
Rcvd: SB ENCRYPT  SUPPORT 1 2
Rcvd: DO NAWS
Sent: WILL NAWS
Sent: SB NAWS  0 50 0 28
Rcvd: DO TERMINAL TYPE
Sent: WILL TERMINAL TYPE
Rcvd: DO TSPEED
Sent: WONT TSPEED
Rcvd: DO XDISPLOC
Sent: WONT XDISPLOC
Rcvd: DO ENVIRON
Sent: WONT ENVIRON
Rcvd: SB TERMINAL TYPE  1
Sent: SB TERMINAL TYPE  0 56 54 31 30 30
_telnetd: Authorization failed.
Remote Host Closed
--------------------------------------------------------

In the Unix log I get:

Oct 23 14:19:10 kerbsrvt1 telnetd[11334]: connection from 
xpbox1.microkerb.org at ipaddr xxx.xx.xxx.xxx
Oct 23 14:19:11 kerbsrvt1 telnetd[11334]: $TELNETD-E-C00008B6, Authorization 
failed

After this I get the following additional tickets for the Unix realm.

UKREALM
|
|--  krbtgt/UKREALM
|--  host/kerbsrvt1.test.org


Could my mappings be wrong?  It appears that I get my cross realm ticket 
then fail using it.  Any suggestions for changes or additional debugging 
that I can be using?

Thank You,
Dain






_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband.  
http://resourcecenter.msn.com/access/plans/freeactivation.asp

More information about the Kerberos mailing list