Windows AD and MIT KDC Cross-Realm Trust

Douglas E. Engert deengert at anl.gov
Thu Jul 22 12:07:12 EDT 2004



"Schikora, Dominik" wrote:
> 
> Hallo everyone
> 
> Douglas E.Engert wrote:
> 
> > That is not the way it works. The user would login with user at
> KERB.UTA.EDU
> > and get a ticket, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU. This is done
> from the
> > Kerberos realm. Then when the user needed to access a Windows
> resource, such
> > as the local workstation during login, A cross realm ticket would be
> obtained,
> > bu the client gto the Kerberos realm, krbtgt/UTA.EDU at KERB.UTA.EDU.
> > This would be used to get the ticket for the server, host/workstation
> at UTA.EDU
> > from the AD realm. If the account mappings where setup in AD as per
> >
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
> s.asp
> > "Creating Account Mappings" this last service ticket woul have the
> Microsoft
> > PAC data in it.
> 
> > With cross realm the two AD/KDC never comunicate directly. The client
> > gets cross realms tickets from one to use with the other.
> 
> > We do just the opposite. We have our user's registered in Windows AD,
> > and they authenticate to Windows then get cross realm for Unix
> services
> > that are registered in the MIT realm.
> 
> Hallo
> 
> This is mainly a question for Mr. Douglas E.Engert but if anyone else
> can help please feel free to do so.
> We have a similar organisation as the "opposite" and I can't figure out
> how to accomplish the following:
> We will users in the AD 2003 domain authenticate to Windows and then get
> a cross real ticket for services in the MIT realm.
> 
> We manage to achieve that User with a mapped Principal can login on a
> client in the AD with the MIT Realm Principal and Password. He gets a
> tgt for the MIT realm and one for the AD 2003 Domain. But if the same
> user login on a client in the AD with the Principal and Password from
> the AD Domain he only gets a tgt for the AD domain.

Yes that would be normal, see below. 

> If he tries to use a
> service in the MIT realm he gets a Error from the AD 2003 Domain
> Controller "KDC_S_Principal_unknown".

Sounds like the client lib is assuming the service is in the user's realm. 

The client has to determine the realm of the service. 

If the client lib is the Microsoft lib, and the KDC is the AD, then "referrals"
might work as the wrong KDC can refer the client to some other realm.
But referrals only work within the domain forest, as the AD does not know
about the MIT realm and the servers registered there.  
(Referrals are not standard yet.) If the client lib is MIT, the client 
will try and use the krb5.conf [domain_realm] section or DNS domain name
to determine the realm of the service.

Once the client lib realizes the service is in another realm from the user, it 
will use the user's TGT to get the cross realm TGT  when it will use to get 
the service ticket.  

> The Problem is that the User don't get a cross real ticket from the MIT
> Realm if he log in a User at AD2003 Domain.

See above, it will only ask for a cross realm TGT if it needs to get
a service ticket from that realm. 

> 
> It would be great if anyone can give me a hint what to do next.
> 
> Thanks Schikora
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list