Mit Kerberos Client With trusted Active directories

Douglas E. Engert deengert at anl.gov
Fri Jan 4 10:19:07 EST 2008



e70965 wrote:
> 
> Hi,
> 
> I have Domain_A and Daomain_B (Both are Win2003 Servers).I have made two-way
> trust between Both AD servers.
> I want to do Kerberos authentication from machine which is joined to
> Domain_A using Domain_B user's account.
> 
> In this case Suppose my client (in Daomin_A) do not have the access to
> domain_B.  Authentication process can be done via Domain_A Server to
> Domain_B Server (I mean getting TGT/TGS).

No. The Domain servers (KDC) don't communicate directly. The client
libs request tickets from the user's KDC in Domain_B, for a TGT. That
TGT is used against Domain_B to get a second TGT usable at Domain_A.
(It is encrypted in the shared secret you setup with the trust.)
The second TGT is then used against Domain_A to get service tickets for
services in Domain_A.

> 
> Please help me, if any one knows about this.
> 
> Regards,
> Eswar S
> 
> ****************************************************************************
> ***********
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender by
> phone or email immediately and delete it!
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list