Cross realm auth with MS Server 2003 and MIT kerb

BarBaar beurdy at priest.com
Thu Oct 21 08:22:50 EDT 2004


deengert at anl.gov ("Douglas E. Engert") wrote in message news:<41767A4D.9050807 at anl.gov>...
> So let me get this straight. You have two realms, TEST.NL (AD)
> and TEST2.NL MIT based.
> 
> The user is testor at TEST2.NL.
> 
> The workstation i.e. server in this case is XP box with pricipal
> host/yourxp at TEST.NL abecause it is a member of the domain.
> 
> What should happen when you try and login to the XP
> machine:
> 
>     workstaiton requests TGT from TEST2.NL
> 
>     workstation decrypts using the password.
> 
>     workstaitons trys to use this TGT to get cross realm TGT for the
>     realm of the workstaion.
> 
>     workstation uses this cross realm to get service ticket
>     for its principal.
> 
>     Workstation then uses PAC from ticket to map you to the
>     correct account on the workstaiton.
> 
> 
> So any number of things could be wrong. Since you are trying
> to use a MIT generated ticket it does not have a PAC. So when
> the workstation tries to determine what local account you are
> authorized for, it can't figure this out.
> 
> There is some way to tell AD that it can accept a Kerberos ticket
> from an MIT realm as authentication to an AD account. This might
> be what is missing. In this case the cross realm TGT would then
> have PAC information that the workstation could ten use.
> 
> 
> Another simpler test to start with is have an XP workstation that
> is not part of a domain, but is registered with the MIT realm.
> (My W2000 machine is like this. we do just the opposite, use the AD
> principals to logon to unix.) Then run the ksetup and add the mapping
> to local accounts and ad a principal for host/nondomainworkstation at TEST2.NL.
> Then you can use a user principal from either TEST.NL or TEST2.NL to
> login to the workstation. This would verify that your cross realm
> keys are correct in one direction.
> 
> 

Hi,

I found the following message on my w2k3 AD:

10/21/2004	11:48:35 AM	Kerberos	Error	None	3	N/A	BART	"A Kerberos
Error Message was received:
         on logon session 
 Client Time: 
 Server Time: 9:48:35.0000 10/21/2004 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm: 
 Client Name: 
 Server Realm: TEST.NL
 Server Name: host/bart.test.nl
 Target Name: host/bart.test.nl at TEST.NL
 Error Text: 
 File: 9
 Line: ab8
 Error Data is in record data."
10/21/2004	11:33:35 AM	Kerberos	Error	None	3	N/A	BART	"A Kerberos
Error Message was received:
         on logon session 
 Client Time: 
 Server Time: 9:33:35.0000 10/21/2004 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm: 
 Client Name: 
 Server Realm: TEST.NL
 Server Name: host/bart.test.nl
 Target Name: host/bart.test.nl at TEST.NL
 Error Text: 
 File: 9
 Line: ab8
 Error Data is in record data."

This messeage also appears when I try it all the other way around:
first authenticate on the w2k3-domain, and then try to open a
kerberized SSH session to the linux box (which is in another realm)...

Something tells me this is about the infamous PAC-field. Is that
correct?

I also found this link: http://support.microsoft.com/?kbid=832572 But
it is only for w2k.


More information about the Kerberos mailing list