Cross realm auth with MS Server 2003 and MIT kerb

Jeffrey Altman jaltman2 at nyc.rr.com
Wed Oct 20 05:07:57 EDT 2004


Make sure that the only key type you have for the trust
in the MIT KDC for your cross realm principals are DES-CBC-MD5
and RC4-HMAC.  (RC4-HMAC requires 2003 SP1 beta).

BarBaar wrote:

> Hi,
> 
> I am testing a setup with cross realm authentication. I know that
> there are several documents describing this setup, but none of them
> work for me. I followed the instructions of MS Interoperatebility
> guide, and the guidelines in O'Reilly's Definite Guide to Kerberos.
> 
> I am using MS Server 2003 with Active Directory. This box is
> test1.test.nl. Using ksetup I added a KDC (test12.test2.nl) and
> created a two way trust relationship with the test2-domain. The AD
> contains a user "tester" with the password "Secret21"
> 
> On the test12.test2.nl (a Debian MIT KDC) I added two princs,
> krbtgt/TEST2.NL at TEST.NL and krbtgt/TEST.nl at TEST2.NL, both haveing the
> same passwd as the trust on the w2k3 box. The KDC contains a princ
> "tester" with a password "Secret21".
> 
> The third box is a Windows XP SP2 box, client of the test domain. On
> this box I also added the MIT KDC using ksetup, Now I want to logon to
> the test2-kerberos realm. And this is where all goes wrong.
> 
> Authentication fails, I see the standard messagebox on the client,
> telling me that Windows could not authenticate me. But on the MIT KDC
> I can see the autentication attempt (a TGS-REQ and AS-REQ) in the kdc
> logs. So apparently the win XP client does send data to the MIT KDC.
> And the KDC-authentication does succes (there's no error message)
> 
> One possible cause (but not very likely, I think) is that both the
> WinXP client and Kerb KDC are Virtual machines (running on VMWARE
> GSX-server). The AD-box is just a normal box. So some NAT'ing is
> happening. There is no firewall, as far as I know.
> 
> Any idea's what might be wrong here?
> 
> Thanks

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list