Cross-realm authentication between Windows 2000 and MIT KDC problems
Thomas Barlen
BARLEN at de.ibm.com
Tue Aug 31 12:35:29 EDT 2004
Hi everyone,
I'm trying to get cross-realm authentication to work between a Windows
2000 domain (realm WIN.COM) and
a MIT KDC (realm i5.COM). I've set up the cross-realm trust on both
systems. The client is Windows 2000 Pro and
is a member of the Windows domain. On the client and Win KDC site I have
used ksetup to add the realm I5 KDC to the
registry. When I log in to the Windows domain and access a Unix service
that is registered in Active Directory,
I get a service ticket back. When I try to access another service that is
registered in the MIT KDC I5, the
Windows domain controller just returns a Kerberos error Service Principal
Unknown. The TGS request
has the canonicalize bit turned on. What do I miss here that the Windows
domain controller does not
return a referral ticket to the client? BTW, the IP domains and the
Kerberos realms have the same name.
When I log in to the MIT KDC using another account and try to access a
service that is registered in the
Windows AD, I get the referral ticket from the MIT KDC and the service
ticket from the Windows KDC. So
domain to realm mapping works from the MIT to the Windows KDC but not vice
versa.
Any hint is very much appreciated.
Thanks,
Tom
Kind regards / Mit freundlichen Grüßen
Thomas Barlen
More information about the Kerberos
mailing list