Cross-Realm Authentication
Darren Hoch
darren.hoch at litemail.org
Fri Apr 22 00:20:23 EDT 2005
Hello Kerberos Gurus,
I am giving a pretty lengthy presentation on Sun Kerberos next week and
I want to make sure I have the correct understanding of how cross-realm
authentication works.
Domain1: EXAMPLE.COM
Domain2: EXAMPLE1.COM
1) The user darren at EXAMPLE.COM wants to telnet to
host/foo.example1.com at EXAMPLE1.COM using cross-realm authentication.
2) Both the KDC's host/kdc.example.com at EXAMPLE.COM and
host/kdc.example1.com at EXAMPLE1.COM create
krbtgt/EXAMPLE.COM at EXAMPLE1.COM and vice-versa principals in a direct
cross-real trust.
3) The user darren at EXAMPLE.COM issues the following command:
bar.example.com$ telnet -a -f -x foo.example1.com
4) From here, host/bar.example.com contacts the KDC for EXAMPLE.COM
looking for a cross-realm trust of host/foo.example1.com. Since there is
a principal for host/kdc.example1.com, host/kdc.example.com issues a
cross-realm service ticket for host/bar.example.com. The
host/bar.example.com then contacts host/foo.example1.com with a service
ticket presented from host/kdc.example.com and authenticates.
This is where I am a little confused on how exactly the trust
relationship plays out. To what degree do the two KDC's communicate this
trust relationship in this specific scenario. What is the order of
conversation? I am looking for some help with step 4 and if someone
could set me straight.
Thanks,
Darren
More information about the Kerberos
mailing list