Windows AD and MIT KDC Cross-Realm Trust
Digant Kasundra
digant at uta.edu
Mon Feb 16 10:56:53 EST 2004
> That is not the way it works. The user would login with
> user at KERB.UTA.EDU and get a ticket,
> krbtgt/KERB.UTA.EDU at KERB.UTA.EDU. This is done from the
> Kerberos realm. Then when the user needed to access a Windows
> resource, such
> as the local workstation during login, A cross realm ticket
> would be obtained,
> bu the client gto the Kerberos realm, krbtgt/UTA.EDU at KERB.UTA.EDU.
> This would be used to get the ticket for the server,
> host/workstation at UTA.EDU
> from the AD realm. If the account mappings where setup in AD as per
>
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as
p
> "Creating Account Mappings" this last service ticket woul have the
Microsoft PAC data in it.
>
> With cross realm the two AD/KDC never comunicate directly. The client
> gets cross realms tickets from one to use with the other.
>
> We do just the opposite. We have our user's registered in Windows AD, and
they authenticate to Windows then get > > cross realm for Unix services
> that are registered in the MIT realm.
I think that's one of the ways you can do it, but that setup isn't
considered "pass-through authentication," which is what we are going for.
More information about the Kerberos
mailing list