AD Domain Authentication to MIT Kerb V

Douglas E. Engert deengert at
Fri Feb 18 17:02:19 EST 2005

Matt Joyce wrote:
>> So when you login, do you type user at realm or just user?
> just user.  The @ seemingly specifies a domain to login to. 

No its the realm of the user. This machine knows what domain it is in.
So the first step it to authenticate to the user's realm, then
the libs will get cross realm tickets and finals a service ticket
for the machine from the machine's realm.

> I cannot 
> login to a Domain with a complete realm prinicpal without inadvertental 
> telling windows to login to som alternate domain... 

*BUT thats the point* the user is in one realm the machine in another.
They can trust each other because you setup the cross realm, and with AD,
the AD of the machine spotted that your user has an AD account, and so it
added PAC information so the machine would accept the user as domain user.

 > possibly a trusted kerb5 realm domain created by AD?

Not sure what you mean. AD does not create realms. Although domains in
a forest are using Kerberos cross realm.


> When i login to the Domain as a regular user MIT leash shows me a wad of 
> @DOMAIN.COM tickets.  Can I assume these tickets will be honored by 
> services  in the MIT Kerb V realm REALM.DOMAIN.COM?

Yes and no. The tickets are for selected services in what ever realm
the service is in. Since the user is in DOMAIN.COM one of the tickets
is krbtgt/DOMAIN.COM at DOMAIN.COM this is the ticket granting ticket used
to get more tickets from DOMAIN.COM for services in that realm.

There may also be a krbtgt/REALM.DOMAIN.COM at DOMAIN.COM This is the cross
realm ticket issued by DOMAIN.COM used to get tickets from REALM.DOMAIN.COM
But you would only see this if the user attempted to use a service in

When you get this working you using the user in REALM.DOMAIN.COM
you should see these tickets:

    krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM   (initial ticket)
    krbtgt/DOMAIN.COM at REALM.DOMAIN.COM         (cross realm ticket)
    host/theworkstaiton at DOMAIN.COM             (service ticket for host)

> This line of discussion is really really helpful thanks a ton.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list