Win 2003 Server cross-realm authentication

[Christopher D. Clausen]

jeff.quinn at gmail.com wrote:
> I've set up a windows 2003 AD, a two-way transitive trust with an MIT
> Kerberos server, run ksetup to add the realm of the kerb5 server, and
> have created accounts on both the kerberos server and in the active
> directory that allow me to successfully log in individually.  I have
> set the active directory server up as a terminal server, and can
> remotely connect successfully using an account in the AD.  I've mapped
> usernames in the kerberos database to users in the AD.  When I attempt
> to log in to the terminal server using one of the mapped user accounts
> from the kerberos server, I get the following error:
> KDC_ERR_S_PRINCIPAL_UNKNOWN
>
> I also get the error without intervention about every 5 minutes.
>
> I've gone through Microsoft's techbase article and troubleshooting
> guide for kerberos errors.
> -No new computer account has been created
> -UDP Fragmentation is not occurring from what I can tell.
>
> I'm not sure if the service is registered and has an SPN set - and am
> not quite sure how to go about verifying.  The username krbtgt exists
> and nothing seems to be wrong with it.
>
> Could someone please offer some advice?  If at all possible, not by
> referring me to a microsoft techbase article - I've been looking at
> those for a week, and either aren't helpful, or aren't clear on what
> the appropriate steps are.

Do you have Service Pack 1 installed?  Can these users login "on the 
glass" ?

Does http://support.microsoft.com/?kbid=902336 describe your situation?

If so, the problem is that something is broken and network traces should 
show that Windows is looking for Domain Controllers in the "domain" of 
the Kereros Realm instead of the actual windows domain and failing, 
resulting in the above error.

Both the hotfix and the workaround appear to solve this prolem.

<<CDC
-- 
Christopher D. Clausen
ACM at UIUC SysAdmin