Cross realm auth with MS Server 2003 and MIT kerb

BarBaar beurdy at priest.com
Wed Oct 20 04:57:02 EDT 2004


Hi,

I am testing a setup with cross realm authentication. I know that
there are several documents describing this setup, but none of them
work for me. I followed the instructions of MS Interoperatebility
guide, and the guidelines in O'Reilly's Definite Guide to Kerberos.

I am using MS Server 2003 with Active Directory. This box is
test1.test.nl. Using ksetup I added a KDC (test12.test2.nl) and
created a two way trust relationship with the test2-domain. The AD
contains a user "tester" with the password "Secret21"

On the test12.test2.nl (a Debian MIT KDC) I added two princs,
krbtgt/TEST2.NL at TEST.NL and krbtgt/TEST.nl at TEST2.NL, both haveing the
same passwd as the trust on the w2k3 box. The KDC contains a princ
"tester" with a password "Secret21".

The third box is a Windows XP SP2 box, client of the test domain. On
this box I also added the MIT KDC using ksetup, Now I want to logon to
the test2-kerberos realm. And this is where all goes wrong.

Authentication fails, I see the standard messagebox on the client,
telling me that Windows could not authenticate me. But on the MIT KDC
I can see the autentication attempt (a TGS-REQ and AS-REQ) in the kdc
logs. So apparently the win XP client does send data to the MIT KDC.
And the KDC-authentication does succes (there's no error message)

One possible cause (but not very likely, I think) is that both the
WinXP client and Kerb KDC are Virtual machines (running on VMWARE
GSX-server). The AD-box is just a normal box. So some NAT'ing is
happening. There is no firewall, as far as I know.

Any idea's what might be wrong here?

Thanks


More information about the Kerberos mailing list