Windows AD and MIT KDC Cross-Realm Trust

Schikora, Dominik schikora at hrz.uni-siegen.de
Thu Jul 22 09:59:38 EDT 2004


Hallo everyone

Douglas E.Engert wrote:

> That is not the way it works. The user would login with user at
KERB.UTA.EDU
> and get a ticket, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU. This is done
from the
> Kerberos realm. Then when the user needed to access a Windows
resource, such 
> as the local workstation during login, A cross realm ticket would be
obtained, 
> bu the client gto the Kerberos realm, krbtgt/UTA.EDU at KERB.UTA.EDU. 
> This would be used to get the ticket for the server, host/workstation
at UTA.EDU  
> from the AD realm. If the account mappings where setup in AD as per 
>
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp
> "Creating Account Mappings" this last service ticket woul have the
Microsoft
> PAC data in it. 

> With cross realm the two AD/KDC never comunicate directly. The client 
> gets cross realms tickets from one to use with the other. 

> We do just the opposite. We have our user's registered in Windows AD,
> and they authenticate to Windows then get cross realm for Unix
services
> that are registered in the MIT realm.   

Hallo 

This is mainly a question for Mr. Douglas E.Engert but if anyone else
can help please feel free to do so.
We have a similar organisation as the "opposite" and I can't figure out
how to accomplish the following:
We will users in the AD 2003 domain authenticate to Windows and then get
a cross real ticket for services in the MIT realm.

We manage to achieve that User with a mapped Principal can login on a
client in the AD with the MIT Realm Principal and Password. He gets a
tgt for the MIT realm and one for the AD 2003 Domain. But if the same
user login on a client in the AD with the Principal and Password from
the AD Domain he only gets a tgt for the AD domain. If he tries to use a
service in the MIT realm he gets a Error from the AD 2003 Domain
Controller "KDC_S_Principal_unknown". 
The Problem is that the User don't get a cross real ticket from the MIT
Realm if he log in a User at AD2003 Domain.  

It would be great if anyone can give me a hint what to do next. 

Thanks Schikora  




More information about the Kerberos mailing list