Cross realm auth with MS Server 2003 and MIT kerb
Jeffrey Altman
jaltman2 at nyc.rr.com
Wed Oct 20 05:07:57 EDT 2004
Make sure that the only key type you have for the trust
in the MIT KDC for your cross realm principals are DES-CBC-MD5
and RC4-HMAC. (RC4-HMAC requires 2003 SP1 beta).
BarBaar wrote:
> Hi,
>
> I am testing a setup with cross realm authentication. I know that
> there are several documents describing this setup, but none of them
> work for me. I followed the instructions of MS Interoperatebility
> guide, and the guidelines in O'Reilly's Definite Guide to Kerberos.
>
> I am using MS Server 2003 with Active Directory. This box is
> test1.test.nl. Using ksetup I added a KDC (test12.test2.nl) and
> created a two way trust relationship with the test2-domain. The AD
> contains a user "tester" with the password "Secret21"
>
> On the test12.test2.nl (a Debian MIT KDC) I added two princs,
> krbtgt/TEST2.NL at TEST.NL and krbtgt/TEST.nl at TEST2.NL, both haveing the
> same passwd as the trust on the w2k3 box. The KDC contains a princ
> "tester" with a password "Secret21".
>
> The third box is a Windows XP SP2 box, client of the test domain. On
> this box I also added the MIT KDC using ksetup, Now I want to logon to
> the test2-kerberos realm. And this is where all goes wrong.
>
> Authentication fails, I see the standard messagebox on the client,
> telling me that Windows could not authenticate me. But on the MIT KDC
> I can see the autentication attempt (a TGS-REQ and AS-REQ) in the kdc
> logs. So apparently the win XP client does send data to the MIT KDC.
> And the KDC-authentication does succes (there's no error message)
>
> One possible cause (but not very likely, I think) is that both the
> WinXP client and Kerb KDC are Virtual machines (running on VMWARE
> GSX-server). The AD-box is just a normal box. So some NAT'ing is
> happening. There is no firewall, as far as I know.
>
> Any idea's what might be wrong here?
>
> Thanks
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list