Cross-realm Authentication with Windows Server 2003

Mon Mar 14 19:05:34 EST 2005

The easiest way to do it on the Windows side is through the active directory 
domains and trusts.  There is an excellent white paper put out by Microsoft 
that details the process for Windows 2000 but still applies to 2003.  We just 
set this up for a one way trust, works flawlessly.

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

Walter Weiss

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of 
Jeremy J. Casper
Sent: Monday, March 14, 2005 5:27 PM
To: kerberos at mit.edu
Subject: Cross-realm Authentication with Windows Server 2003

We are trying to setup a kerberos pass-thru authenticated logon in a
windows 2003 server forest.  We have tried the following steps to get
the pass-thru to work, but are currently getting an error message when
we try to login.  We have done the following steps on both the AD
controller and the Kerberos server.

Active Directory Domain is AD.SCHOOL.EDU
Kerberos realm is SCHOOL.EDU
Kerberos server

Active Directory Server
1. ran the following command "ksetup /addkdc SCHOOL.EDU kerberos.SCHOOL.EDU"
2. ran the command "netdom TRUST AD.SCHOOL.EDU /Domain:SCHOOL.EDU /Add
/Realm /PasswordT:"Someolpswd"
3. ran the command "netdom TRUST AD.SCHOOL.EDU /Domain:SCHOOL.EDU
/Transitive:yes"
4. Restarted the AD server

Kerberos Server
1. ran the command kadmin: addprinc -e des-cbc-crc:normal
krbtgt/ad.school.edu
2. entered in "Someolpswd" when prompted for the password
3. added to the hosts file "<ip address> ad.school.edu ad"
4. added to the krb5.conf file:
    [realms]
        AD.SCHOOL.EDU = {
            kdc = dc.ad.school.edu
            admin_server = dc.ad.school.edu
             }

    [domain_realm]
         .ad.school.edu = AD.SCHOOL.EDU

When looking at the logs, we get the following information:

Mar 14 16:10:19 kerberos.school.edu krb5kdc[15690](info): AS_REQ (7 etypes 
{23 -133 -128 3 1 24 -135}) 128.128.128.128(88): ISSUE: authtime 1110838219, 
etypes {rep=3 tkt=16 ses=1}, user at SCHOOL.EDU for krbtgt/SCHOOL.EDU at SCHOOL.EDU
Mar 14 16:10:19 kerberos.school.edu krb5kdc[15690](info): TGS_REQ (5 etypes 
{23 3 1 24 -135}) 128.128.128.128(88): UNKNOWN_SERVER: authtime 1110838219, 
user at SCHOOL.EDU for krbtgt/AD.UMN.EDU at SCHOOL.EDU, Server not found in Kerberos 
database

Any ideas on why we are getting the error "Server not found in Kerberos
database"?

Thanks,

-Jeremy J. Casper
casper at umn.edu
Office of Information Technology
University of Minnesota
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3298 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050314/0cc1f420/attachment.bin