Cross realm auth with MS Server 2003 and MIT kerb

Douglas E. Engert deengert at anl.gov
Mon Oct 25 16:24:35 EDT 2004 


BarBaar wrote:

> Hello,
> 
> Today I started to sniff the network, while trying to setup aan
> cross-realm kerberos-session... (realm named: test.nl and
> tester.test.nl)
> 

You have lost me here. What is the W2k3 AD domain name and what is the
MIT KDC realm name? Yesterday there where TEST.NL (AD) and TEST2.NL (MIT)
and the user is testor at TEST2.NL.

> And the sniffer (ethereal) did not tell me very much.. But he did tell
> me the WinXp client is requesting a TGS from the w2k3 AD KDC (which is
> good!). And the AD KDC send a error back:
> krb5kdc_err_s_principal_unknown.. (which is not good)
> 
> So (correct me if I am wrong) the AD KDC does not see that this host
> is in a different realm, and therefore does not respond with the
> correct ticket (which should be a krbtgt/TEST.NL at TESTER.TEST.NL?)

In strick Kerberos terms. The first request should be for a TGT for the
user from the user's realm. It does not mater what is the realm of the
host at this point. But if you don't fully qualify the user principal,
it will default the user's realm from the realm of the host.

But yesterday you where trying to have the user in the MIT realm,
so it is not suprising that the W2K returns principal_unknown.

So try login as testor at TEST2.NL giving the full principal name.
It should then try and contact the MIT KDC at TEST2.NL and get
testor at TEST2.NL krbtgt/TEST2.NL at TEST2.NL ticket. It will then determine
that the host is from a different realm, and will then try and get from
TEST2.NL a krbtgt/TEST.NL at TEST2.NL

See if you can get this far.

It will then use this TGT against AD to get a host/xpclient.name at TEST.NL
But this may get a ticket but not let you login as there is no
PAC.

> 
> Any ideas on this?
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list