Cross realm auth with MS Server 2003 and MIT kerb

swbell kerygma2 at
Thu Oct 21 11:14:21 EDT 2004

in article b87356fd.0410200057.2f06330a at, BarBaar at
beurdy at wrote on 10/20/04 3:57 AM:

> Hi,
> I am testing a setup with cross realm authentication. I know that
> there are several documents describing this setup, but none of them
> work for me. I followed the instructions of MS Interoperatebility
> guide, and the guidelines in O'Reilly's Definite Guide to Kerberos.
> I am using MS Server 2003 with Active Directory. This box is
> Using ksetup I added a KDC ( and
> created a two way trust relationship with the test2-domain. The AD
> contains a user "tester" with the password "Secret21"
> On the (a Debian MIT KDC) I added two princs,
> krbtgt/TEST2.NL at TEST.NL and krbtgt/ at TEST2.NL, both haveing the
> same passwd as the trust on the w2k3 box. The KDC contains a princ
> "tester" with a password "Secret21".
> The third box is a Windows XP SP2 box, client of the test domain. On
> this box I also added the MIT KDC using ksetup, Now I want to logon to
> the test2-kerberos realm. And this is where all goes wrong.
> Authentication fails, I see the standard messagebox on the client,
> telling me that Windows could not authenticate me. But on the MIT KDC
> I can see the autentication attempt (a TGS-REQ and AS-REQ) in the kdc
> logs. So apparently the win XP client does send data to the MIT KDC.
> And the KDC-authentication does succes (there's no error message)

You need more than just the Kerberos ticket from the trusted realm to log
into a PC.  The Windows OS relies on extra stuff from Active Directory, such
as a SID, and all the stuff that determines group policy, etc.

Each user that you want to have log into the PC must have a user account
created in Active Directory, then mapped to the  MIT realm's user principal.
Use the Active Directory Users and Computers to create a test account, then
turn on advanced features (under the view menu).  Right click on the test
account, and choose Name Mappings...  Click the Kerberos tab in the dialog
that appears, and then click Add to enter the user principal name from your
MIT realm.

You can set the initial password of the domain account to anything, then
check the User cannot change password property if you like. Unfortunately, I
don't know of a way to generate a random password for the account.  This
would be ideal, since you don't want the user logging in with the domain
credentials - just the MIT ones.

> One possible cause (but not very likely, I think) is that both the
> WinXP client and Kerb KDC are Virtual machines (running on VMWARE
> GSX-server). The AD-box is just a normal box. So some NAT'ing is
> happening. There is no firewall, as far as I know.
> Any idea's what might be wrong here?
> Thanks

More information about the Kerberos mailing list