Cross realm auth with MS Server 2003 and MIT kerb

Douglas E. Engert deengert at
Wed Oct 20 10:46:37 EDT 2004

Jeffrey Altman wrote:

> Make sure that the only key type you have for the trust
> in the MIT KDC for your cross realm principals are DES-CBC-MD5
> and RC4-HMAC.  (RC4-HMAC requires 2003 SP1 beta).
> BarBaar wrote:
>>I am testing a setup with cross realm authentication. I know that
>>there are several documents describing this setup, but none of them
>>work for me. I followed the instructions of MS Interoperatebility
>>guide, and the guidelines in O'Reilly's Definite Guide to Kerberos.
>>I am using MS Server 2003 with Active Directory. This box is
>> Using ksetup I added a KDC ( and
>>created a two way trust relationship with the test2-domain. The AD
>>contains a user "tester" with the password "Secret21"
>>On the (a Debian MIT KDC) I added two princs,
>>krbtgt/TEST2.NL at TEST.NL and krbtgt/ at TEST2.NL, both haveing the
>>same passwd as the trust on the w2k3 box. The KDC contains a princ
>>"tester" with a password "Secret21".
>>The third box is a Windows XP SP2 box, client of the test domain. On
>>this box I also added the MIT KDC using ksetup, Now I want to logon to
>>the test2-kerberos realm. And this is where all goes wrong.

So let me get this straight. You have two realms, TEST.NL (AD)
and TEST2.NL MIT based.

The user is testor at TEST2.NL.

The workstation i.e. server in this case is XP box with pricipal
host/yourxp at TEST.NL abecause it is a member of the domain.

What should happen when you try and login to the XP

    workstaiton requests TGT from TEST2.NL

    workstation decrypts using the password.

    workstaitons trys to use this TGT to get cross realm TGT for the
    realm of the workstaion.

    workstation uses this cross realm to get service ticket
    for its principal.

    Workstation then uses PAC from ticket to map you to the
    correct account on the workstaiton.

So any number of things could be wrong. Since you are trying
to use a MIT generated ticket it does not have a PAC. So when
the workstation tries to determine what local account you are
authorized for, it can't figure this out.

There is some way to tell AD that it can accept a Kerberos ticket
from an MIT realm as authentication to an AD account. This might
be what is missing. In this case the cross realm TGT would then
have PAC information that the workstation could ten use.

Another simpler test to start with is have an XP workstation that
is not part of a domain, but is registered with the MIT realm.
(My W2000 machine is like this. we do just the opposite, use the AD
principals to logon to unix.) Then run the ksetup and add the mapping
to local accounts and ad a principal for host/nondomainworkstation at TEST2.NL.
Then you can use a user principal from either TEST.NL or TEST2.NL to
login to the workstation. This would verify that your cross realm
keys are correct in one direction.

>>Authentication fails, I see the standard messagebox on the client,
>>telling me that Windows could not authenticate me. But on the MIT KDC
>>I can see the autentication attempt (a TGS-REQ and AS-REQ) in the kdc
>>logs. So apparently the win XP client does send data to the MIT KDC.
>>And the KDC-authentication does succes (there's no error message)
>>One possible cause (but not very likely, I think) is that both the
>>WinXP client and Kerb KDC are Virtual machines (running on VMWARE
>>GSX-server). The AD-box is just a normal box. So some NAT'ing is
>>happening. There is no firewall, as far as I know.
>>Any idea's what might be wrong here?


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list