Windows AD and MIT KDC Cross-Realm Trust
Digant Kasundra
digant at uta.edu
Tue Feb 17 17:00:07 EST 2004
> > That being the case, when a user tries to login using
> > bwinkle at kerb.uta.edu, I do see a request hit the KDC but the user
> > still does not get logged in. According to the logs, I see
> an AS_REQ
> > "bwinkle at KERB.UTA.EDU for krbtgt/KERB.UTA.EDU at KERB.UTA.EDU".
>
> Yes that is the first step.
>
> This would then be used by the workstation to get a ticket
> for the workstation
> if the workstation is in the same realm as the user. If not
> this would be used
> to get a krbtgt.
Unfortunately, that is the only request I see.
>
> > In my principles on the KDC machine
> > (montyburns), I have bwinkle at KERB.UTA.EDU <mailto:bwinkle at KERB.UTA.EDU>
,
> > krbtgt/KERB.UTA.EDU at KERB.UTA.EDU, krbtgt/KERB.UTA.EDU at UTA.EDU and
> > krbtgt/UTA.EDU at KERB.UTA.EDU (as well as the kadmin ones that are
> > created at install).
> >
> > What else should I look at?
>
> Is the workstation part of a domain?
>
> What does ksetup on the workstion show?
>
Ksetup on the machine reveals that the machine's primary realm is
KERB.UTA.EDU and that the kdc is montyburns.uta.edu (which is correct). I'm
not sure what it doesn't continue on with the transactions.
More information about the Kerberos
mailing list