Cross-realm Authentication with Windows Server 2003
Jeremy J. Casper
casper at umn.edu
Mon Mar 14 17:27:12 EST 2005
We are trying to setup a kerberos pass-thru authenticated logon in a
windows 2003 server forest. We have tried the following steps to get
the pass-thru to work, but are currently getting an error message when
we try to login. We have done the following steps on both the AD
controller and the Kerberos server.
Active Directory Domain is AD.SCHOOL.EDU
Kerberos realm is SCHOOL.EDU
Kerberos server
Active Directory Server
1. ran the following command "ksetup /addkdc SCHOOL.EDU kerberos.SCHOOL.EDU"
2. ran the command "netdom TRUST AD.SCHOOL.EDU /Domain:SCHOOL.EDU /Add
/Realm /PasswordT:"Someolpswd"
3. ran the command "netdom TRUST AD.SCHOOL.EDU /Domain:SCHOOL.EDU
/Transitive:yes"
4. Restarted the AD server
Kerberos Server
1. ran the command kadmin: addprinc -e des-cbc-crc:normal
krbtgt/ad.school.edu
2. entered in "Someolpswd" when prompted for the password
3. added to the hosts file "<ip address> ad.school.edu ad"
4. added to the krb5.conf file:
[realms]
AD.SCHOOL.EDU = {
kdc = dc.ad.school.edu
admin_server = dc.ad.school.edu
}
[domain_realm]
.ad.school.edu = AD.SCHOOL.EDU
When looking at the logs, we get the following information:
Mar 14 16:10:19 kerberos.school.edu krb5kdc[15690](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 128.128.128.128(88): ISSUE: authtime 1110838219, etypes {rep=3 tkt=16 ses=1}, user at SCHOOL.EDU for krbtgt/SCHOOL.EDU at SCHOOL.EDU
Mar 14 16:10:19 kerberos.school.edu krb5kdc[15690](info): TGS_REQ (5 etypes {23 3 1 24 -135}) 128.128.128.128(88): UNKNOWN_SERVER: authtime 1110838219, user at SCHOOL.EDU for krbtgt/AD.UMN.EDU at SCHOOL.EDU, Server not found in Kerberos database
Any ideas on why we are getting the error "Server not found in Kerberos
database"?
Thanks,
-Jeremy J. Casper
casper at umn.edu
Office of Information Technology
University of Minnesota
More information about the Kerberos
mailing list