step by step guide for Windows 2003 Server and MIT Kerberos trust?

Jeffrey Altman jaltman2 at
Thu Jun 10 13:00:57 EDT 2004

Rodney M Dyer wrote:
> At 09:41 AM 6/10/2004, Jeffrey Altman wrote:
>> This is another reason why I like the cross-realm solution for managing
>> non-Windows services.   Let Active Directory manage the Windows based
>> services and an MIT KDC manage the non-Windows services.  Use
>> cross-realm between the two to obtain the service tickets for the
>> non-Windows services.
> Right, and I'm finding this solution sucks because Microsoft needs the 
> PAC for authorizing anything.  The way things are going it looks like 
> using a Microsoft AD for a KDC is the "better" solution if you ever need 
> to use Microsoft services from a client that doesn't know about the 
> trust.  In our case this is the fate we have run into when trying to 
> truely kerberize Exchange, you can't.  I think the whole Kerberos 
> interoperability marketing by Microsoft is just a ghost, a facad.  In 
> fact, unless you use AD as the KDC in your organization, you are looking 
> at more hurt than help.
> Rodney

AFS is not a Windows Service and it does not require a PAC.  There is
no reason why you cannot use cross-realm to obtain service tickets for

The problem you are experiencing is not a Kerberos problem but an
authorization problem inherent to Microsoft Exchange.   It is not a
question of a PAC in that case either.  If you have a mapping of the
external realm user to a Microsoft account you can obtain a PAC for
the user when the cross realm TGT is issued.  The problem is that
Microsoft Exchange cannot handle the external realm principal name.
At least this is my understanding of the problem.

Jeffrey Altman

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list