Windows AD and MIT KDC Cross-Realm Trust

Actually davidchr davespam at microsoft.com
Fri Feb 13 19:28:51 EST 2004


Are you trying to log the user onto the DC?  If not, you shouldn't see
any traffic going from the DC to the realm's KDC-- the traffic should
come from the machine where the user is trying to logon.

Common gotchas in this area off the top of my head:

1. make sure the trust is a "realm" trust (the MMC domains and trusts
snapin will create the trust with the REALM attribute, but other tools
may not).  The trust relationship can be 1- or 2-way, but should have
the "REALM" attribute so that the Windows domain knows it's not another
Windows domain.

2. make sure that all Windows machines involved (DCs, members, etc) have
the right KSETUP settings so that they know how to locate the other
realm.  At the very least, the other realm must be defined (even if it
has no KDCs).  If the other realm isn't using DNS to locate KDCs, make
sure to define the KDCs with KSETUP on all applicable Windows machines.


3. make sure that the other realm will issue and accept DES tickets
(that is, DES-CRC or DES-MD5).  

4. make sure that the user you're trying to logon has the right KSETUP
/mapuser settings-- that is, that the realm principal is correctly
mapped to a Windows account.  If this doesn't work, you will
authenticate, but Windows will have no authorization data to do access
control with.

In case you haven't read it, check out
<http://www.microsoft.com/windows2000/techinfo/planning/security/kerbste
ps.asp>, which describes much of this in greater detail.


...if all else fails, what errors (if any) do you see when trying to
logon?  What release of Windows are you using?

Thanks!
-Dave

---
This message is provided "AS IS" with no warranties, and confers no
rights.
This message may originate from an unmonitored alias ("davespam") for
spam-reduction purposes.  Use "davidchr" for individual replies.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
This message originates in the State of Washington (USA), where
unsolicited commercial email is legally actionable (see
http://www.wa.gov/ago/junkemail).
Harvesting of this address for purposes of bulk email (including "spam")
is prohibited unless by my expressed prior request.  I retaliate
viciously against spammers and spam sites.
 

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Digant Kasundra
> Sent: Friday, February 13, 2004 3:03 PM
> To: kerberos at mit.edu
> Subject: Windows AD and MIT KDC Cross-Realm Trust
> 
> Hello everyone,
>  
> I have found plenty of step by step instructions on this but 
> we have failed
> to get them to work.  Here is what I've got:
>  
> We have a windows domain (UTA.EDU) and a kerberos realm 
> (KERB.UTA.EDU).  We
> want to test pass-through authentication on the Windows side 
> so that when
> windows users login, the DC will authenticate them against 
> the kerberos
> realm.  
>  
> We have tried creating both a 1 way and a 2 way trust between 
> the two and
> neither has worked for us.  I have followed the directions as 
> provided by
> the UPenn website and the UCAR website.  But, regardless, 
> when a user tries
> to login, I don't see an authentication requestion coming 
> from the DC to the
> Kerberos box.
>  
> As I said, we have already done the steps as described below:
> http://acd.ucar.edu/~fredrick/linux/kerberos/serversetup.html
> <http://acd.ucar.edu/~fredrick/linux/kerberos/serversetup.html> 
>  
> Anyone have any ideas (or if this is off topic, can someone tell me a
> newsgroup where I an find this out at?)
>  
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



More information about the Kerberos mailing list