Problem with cross-realm authentication (Kerberos Realm & Win2K domain)

Lara Adianto m1r4cle_26 at yahoo.com
Mon Mar 29 12:10:07 EST 2004 

Hello,
 
I have a question about the cross-realm authentication (Kerberos Realm & Win2K)
My scenario is as follows:
a user using a Win2K professional machine authenticates to a Kerberos Realm. This user then wants to access resources in a Win2K domain. I believe that this is possible by configuring trust-relationship between the Kerberos Realm and Win2K domain which I have done following the guidance in Step by step Guide to Kerberos 5 Interoperability article.
.
However, when the user sends a TGS-REQ to the KDC in the Kerberos Realm for service located in Win2K domain, the Kerberos Realm returns KDC_ERR_S _PRINCIPAL_UNKNOWN. After sniffing the packet using ethereal, I noticed that the client sent a TGS_REQ with the canonicalize bit not set. Based on my understanding from the 'Generating KDC Referrals to locate Kerberos realms' draft, the client should send a TGS_REQ with canonicalize bit set so that the KDC can returns a TGS_REP containing PA-SERVER-REFERRAL-INFO.
 
Does anybody have any idea how to solve this problem ?
Is there any other configuration (besides the following) that I should do in the client machine or in the KDC so that the windows client that authenticates to Kerberos realm can access win2k resources in other domain: 
In KDC Kerberos Realm:
- ank -pw password krbtgt/NT_REALM.COM at KERB_REALM.COM
- ank -pw password krbtgt/KERB_REALM.COM at NT_REALM.COM
In Win2K domain:
- Add inter-realm keys in the Active Directory Domains and Trusts (Trusts tab)
- Create account mappings using the AltSecurityId property 

Thanks,
Lara


------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

---------------------------------
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time..From bdavids1 at gmu.edu Mon Mar 29 23:08:44 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i2U48hqb025876
	for <kerberos at PCH.mit.edu>; Mon, 29 Mar 2004 23:08:44 -0500 (EST)
Received: from mail02.gmu.edu (mail02.gmu.edu [129.174.0.112])
	i2U48gBO004848
	for <kerberos at mit.edu>; Mon, 29 Mar 2004 23:08:42 -0500 (EST)
Received: from [129.174.19.237] by mserver2.gmu.edu
 (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep  8 2003))
 with ESMTPSA id <0HVD00C6VF3GNC at mserver2.gmu.edu> for kerberos at mit.edu; Mon,
 29 Mar 2004 22:59:42 -0500 (EST)
Date: Mon, 29 Mar 2004 22:59:40 -0500
From: Brian Davidson <bdavids1 at gmu.edu>
To: kerberos at mit.edu
Message-id: <AB837A1E-81FE-11D8-AFC7-000393CCB774 at gmu.edu>
MIME-version: 1.0
X-Mailer: Apple Mail (2.613)
Content-type: text/plain; charset=US-ASCII; format=flowed
Content-transfer-encoding: 7BIT
Subject: Kerberized Apps
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 30 Mar 2004 04:08:44 -0000

Hello all,

We're moving towards kerberizing our place, and I'm curious what sorts 
of applications you all have had success with.  We've got Active 
Directory and OpenAFS utilizing our MIT Kerberos 5 KDC at this point.

I've followed the "WebISO: the killer kerbero app" thread here, have 
played some with the Microsoft http-SPNEGO stuff, and hope to see 
draft-nystrom-http-sasl accepted and implemented in the near future.  
I'm leaning towards http-SPNEGO + pubCookie for the short term, and 
http-SASL + pubCookie for the longer term.

I'm curious how others have fared with things like:
iPlanet/SUNOne LDAP,SMTP,IMAP and POP
Oracle
Email clients (which ones work for you)
Various OSes such as: Solaris, Linux, Tru64, HP-UX, Microsoft 
Win-whatever, etc
Any killer kerberized apps at your site

I'm not looking for detailed step by step instructions (hey, I won't 
turn it down), more just a "yep, we've got it working" or "nope, don't 
know of anyone who's gotten that to work" for the SUNOne and Oracle 
products.  I'm working on putting together a demo of this for our 
campus to help promote Kerberos usage, and would prefer to not waste my 
time on things which nobody here has been able to get working either.

Thanks in advance for any/all replies/advice/help/etc!

I'll merge all replies into a consolidated email which I'll post back 
here.  Also I'll keep a copy in case anyone in the future asks a 
similar question.

Brian Davidson
George Mason University

More information about the Kerberos mailing list