Win 2003 Server cross-realm authentication
Richard E. Silverman
res at qoxp.net
Mon Apr 17 19:48:01 EDT 2006
>>>>> "JQ" == jeff quinn <jeff.quinn at gmail.com> writes:
JQ> I've set up a windows 2003 AD, a two-way transitive trust with an
JQ> MIT Kerberos server, run ksetup to add the realm of the kerb5
JQ> server, and have created accounts on both the kerberos server and
JQ> in the active directory that allow me to successfully log in
JQ> individually. I have set the active directory server up as a
JQ> terminal server, and can remotely connect successfully using an
JQ> account in the AD. I've mapped usernames in the kerberos database
JQ> to users in the AD. When I attempt to log in to the terminal
JQ> server using one of the mapped user accounts from the kerberos
JQ> server, I get the following error: KDC_ERR_S_PRINCIPAL_UNKNOWN
We need a little more information. I assume you are trying to contact a
kerberized service in the MIT realm, using a TGT obtained from the Windows
realm? Is the client Windows or Unix?
If it's a Windows client, and it is not correctly configured to recognize
map the DNS name of the server to the external realm, then it will send
the ticket request to its domain controller, expecting a referral -- but
the DC does not do referrals for external realms, and so you'll get this
error.
JQ> Could someone please offer some advice?
I would find out exactly what's happening. Look at the KDC log for the
MIT KDC, and see if the requests are going there. And/or, capture the
relevant Kerberos traffic (e.g. with Ethereal), and see what's going on.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list