Firefox vs IE Cross Realm Kerberos SSO Authentication

Michael B Allen mba2000 at
Thu May 10 15:10:09 EDT 2007

Hello List,

I have found an inconsistency between IE and Firefox with respect to
Keberos cross realm authentication.

I have two Windows domains W.NET and B.W.NET. If I setup SSO on a Linux
web server and create the HTTP service account in the B.W.NET
realm all works fine with both FF and IE.

However, if I create the HTTP service in the parent domain W.NET, IE
can sucessfully perform SSO whereas FF cannot.

>From looking at a capture of the failure I see the following:

S: KRB5 TGS-REP with krbtgt/W.NET
C: DNS SRV query for _kerberos-master._udp.B.W.NET
S: DNS No such name

Can anyone explain this behavior and tell me if it is consistent with
what is supposed to happen?


Michael B Allen
PHP Active Directory Kerberos SSO

More information about the Kerberos mailing list