Cross realm auth with MS Server 2003 and MIT kerb

BarBaar beurdy at
Wed Oct 20 04:57:02 EDT 2004


I am testing a setup with cross realm authentication. I know that
there are several documents describing this setup, but none of them
work for me. I followed the instructions of MS Interoperatebility
guide, and the guidelines in O'Reilly's Definite Guide to Kerberos.

I am using MS Server 2003 with Active Directory. This box is Using ksetup I added a KDC ( and
created a two way trust relationship with the test2-domain. The AD
contains a user "tester" with the password "Secret21"

On the (a Debian MIT KDC) I added two princs,
krbtgt/TEST2.NL at TEST.NL and krbtgt/ at TEST2.NL, both haveing the
same passwd as the trust on the w2k3 box. The KDC contains a princ
"tester" with a password "Secret21".

The third box is a Windows XP SP2 box, client of the test domain. On
this box I also added the MIT KDC using ksetup, Now I want to logon to
the test2-kerberos realm. And this is where all goes wrong.

Authentication fails, I see the standard messagebox on the client,
telling me that Windows could not authenticate me. But on the MIT KDC
I can see the autentication attempt (a TGS-REQ and AS-REQ) in the kdc
logs. So apparently the win XP client does send data to the MIT KDC.
And the KDC-authentication does succes (there's no error message)

One possible cause (but not very likely, I think) is that both the
WinXP client and Kerb KDC are Virtual machines (running on VMWARE
GSX-server). The AD-box is just a normal box. So some NAT'ing is
happening. There is no firewall, as far as I know.

Any idea's what might be wrong here?


More information about the Kerberos mailing list