Standard mechanisms to manage domain->realm mappings in multi-domain infrastructure

Newman, Edward (GTI) edward_newman at ml.com
Thu Aug 16 12:02:55 EDT 2007


Jeffrey Altman wrote:

There is no support for referrals to multiple realms.  The client is
requesting a service ticket
for a single entity.  The assumption is that there is a single instance
of that entity.  If it is not
in the current realm, the KDC can instruct the client which realm to ask
and provide a cross-realm
TGT to use when contacting the alternate realm.


The issue here is that the client doesn't know the correct realm for the
service ticket it only knows the machine FQDN. It would therefore need
to go the KDC of the realm it belongs to and ask for a service ticket
for the service FQDN and the client realm. The KDC, which may support
trusts to multiple other realms, needs some way to map FQDN and/or
service principal to a specific realm and return this back to the
client. Sounds almost like there is a need for another administrative
protocol to allow trusting realms to share/cache their service
principals so that the referral directs to the correct trusted realm.
This would be unnecessary when the KDC shares a common repository (as is
the case with AD and a GC) but not with cross-forest trusts.


Edward

___________________________________
Edward Newman
GTI A&E Identity & Naming Services
Merrill Lynch, 9th Fl, 222 Broadway, New York, NY 10007, USA
Phone : +1-212-670-1546  Cell: +1-917-975-2356
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------




More information about the Kerberos mailing list