Cross realm auth with MS Server 2003 and MIT kerb

Douglas E. Engert deengert at
Mon Oct 25 16:24:35 EDT 2004

BarBaar wrote:

> Hello,
> Today I started to sniff the network, while trying to setup aan
> cross-realm kerberos-session... (realm named: and

You have lost me here. What is the W2k3 AD domain name and what is the
MIT KDC realm name? Yesterday there where TEST.NL (AD) and TEST2.NL (MIT)
and the user is testor at TEST2.NL.

> And the sniffer (ethereal) did not tell me very much.. But he did tell
> me the WinXp client is requesting a TGS from the w2k3 AD KDC (which is
> good!). And the AD KDC send a error back:
> krb5kdc_err_s_principal_unknown.. (which is not good)
> So (correct me if I am wrong) the AD KDC does not see that this host
> is in a different realm, and therefore does not respond with the
> correct ticket (which should be a krbtgt/TEST.NL at TESTER.TEST.NL?)

In strick Kerberos terms. The first request should be for a TGT for the
user from the user's realm. It does not mater what is the realm of the
host at this point. But if you don't fully qualify the user principal,
it will default the user's realm from the realm of the host.

But yesterday you where trying to have the user in the MIT realm,
so it is not suprising that the W2K returns principal_unknown.

So try login as testor at TEST2.NL giving the full principal name.
It should then try and contact the MIT KDC at TEST2.NL and get
testor at TEST2.NL krbtgt/TEST2.NL at TEST2.NL ticket. It will then determine
that the host is from a different realm, and will then try and get from
TEST2.NL a krbtgt/TEST.NL at TEST2.NL

See if you can get this far.

It will then use this TGT against AD to get a host/ at TEST.NL
But this may get a ticket but not let you login as there is no

> Any ideas on this?
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list