Windows AD and MIT KDC Cross-Realm Trust

Douglas E. Engert deengert at anl.gov
Fri Feb 13 19:51:03 EST 2004



Digant Kasundra wrote:
> 
> Hello everyone,
> 
> I have found plenty of step by step instructions on this but we have failed
> to get them to work.  Here is what I've got:
> 
> We have a windows domain (UTA.EDU) and a kerberos realm (KERB.UTA.EDU).  We
> want to test pass-through authentication on the Windows side so that when
> windows users login, the DC will authenticate them against the kerberos
> realm.
> 
> We have tried creating both a 1 way and a 2 way trust between the two and
> neither has worked for us.  I have followed the directions as provided by
> the UPenn website and the UCAR website.  But, regardless, when a user tries
> to login, I don't see an authentication requestion coming from the DC to the
> Kerberos box.

That is not the way it works. The user would login with user at KERB.UTA.EDU
and get a ticket, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU. This is done from the
Kerberos realm. Then when the user needed to access a Windows resource, such 
as the local workstation during login, A cross realm ticket would be obtained, 
bu the client gto the Kerberos realm, krbtgt/UTA.EDU at KERB.UTA.EDU. 
This would be used to get the ticket for the server, host/workstation at UTA.EDU  
from the AD realm. If the account mappings where setup in AD as per 
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
"Creating Account Mappings" this last service ticket woul have the Microsoft
PAC data in it. 

With cross realm the two AD/KDC never comunicate directly. The client 
gets cross realms tickets from one to use with the other. 

We do just the opposite. We have our user's registered in Windows AD,
and they authenticate to Windows then get cross realm for Unix services
that are registered in the MIT realm.   

> 
> As I said, we have already done the steps as described below:
> http://acd.ucar.edu/~fredrick/linux/kerberos/serversetup.html
> <http://acd.ucar.edu/~fredrick/linux/kerberos/serversetup.html>
> 
> Anyone have any ideas (or if this is off topic, can someone tell me a
> newsgroup where I an find this out at?)
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list