Cross-realm authentication Windows AD - MIT

Wouter Verhelst wouter at nixsys.be
Sun Jun 29 11:34:47 EDT 2008


Hi,

Recently, I've set up an MIT kerberos realm. In this realm, there are a
few users, and an Apache HTTP server that I've successfully done
Kerberos-authentication against using mod_auth_kerb and firefox on the
client-side. So far so good.

Now when I try to do cross-realm authentication from a Windows host, it
does not seem to work. The steps I've taken include:

- set up cross-realm authentication: I have a one-way "incoming" trust
  relationship in Windows, and created a
  "krbtgt/MIT-REALM at WINDOWS-REALM" principal in kadmin, with the same
  password (a 40-character random string that was copy-pasted in both
  cases). The trust is a "realm" trust, not a "domain trust", to account
  for the differences between Windows "Kerberos" and the actual
  protocol.
- Use "ksetup" to tell the Windows server where the MIT-REALM's KDC's
  are. This was necessary, because the MIT-REALM servers did not have
  DNS SRV records at first (later this was fixed, but that still did not
  solve the problem).
- Use Internet Explorer, after logging in to a computer in
  WINDOWS-REALM, to access the webserver which uses mod_auth_kerb. This
  did not succeed.
- Use firefox to try the same. Same issue.

What's peculiar is that in the final two steps, the windows system
doesn't even seem to request cross-realm kerberos tickets; it doesn't
get a TGT, nor does it try to contact the MIT kerberos server. Searching
for this kind of information on the net does not reveal anything that
jumps out as relevant (except for one note somewhere that Microsoft
doesn't support this kind of thing -- sigh); so I'm kindof hoping
someone here would have some experience with a similar situation, and
could help me find out what the hell is going wrong.

Thanks,

-- 
Wouter Verhelst
NixSys BVBA
Louizastraat 14, 2800 Mechelen
T: +32 15 27 69 50 / F: +32 15 27 69 51 / M: +32 486 836 198



More information about the Kerberos mailing list