Cross-realm authentication Windows AD - MIT
Wouter Verhelst
wouter at nixsys.be
Sun Jun 29 11:34:47 EDT 2008
Hi,
Recently, I've set up an MIT kerberos realm. In this realm, there are a
few users, and an Apache HTTP server that I've successfully done
Kerberos-authentication against using mod_auth_kerb and firefox on the
client-side. So far so good.
Now when I try to do cross-realm authentication from a Windows host, it
does not seem to work. The steps I've taken include:
- set up cross-realm authentication: I have a one-way "incoming" trust
relationship in Windows, and created a
"krbtgt/MIT-REALM at WINDOWS-REALM" principal in kadmin, with the same
password (a 40-character random string that was copy-pasted in both
cases). The trust is a "realm" trust, not a "domain trust", to account
for the differences between Windows "Kerberos" and the actual
protocol.
- Use "ksetup" to tell the Windows server where the MIT-REALM's KDC's
are. This was necessary, because the MIT-REALM servers did not have
DNS SRV records at first (later this was fixed, but that still did not
solve the problem).
- Use Internet Explorer, after logging in to a computer in
WINDOWS-REALM, to access the webserver which uses mod_auth_kerb. This
did not succeed.
- Use firefox to try the same. Same issue.
What's peculiar is that in the final two steps, the windows system
doesn't even seem to request cross-realm kerberos tickets; it doesn't
get a TGT, nor does it try to contact the MIT kerberos server. Searching
for this kind of information on the net does not reveal anything that
jumps out as relevant (except for one note somewhere that Microsoft
doesn't support this kind of thing -- sigh); so I'm kindof hoping
someone here would have some experience with a similar situation, and
could help me find out what the hell is going wrong.
Thanks,
--
Wouter Verhelst
NixSys BVBA
Louizastraat 14, 2800 Mechelen
T: +32 15 27 69 50 / F: +32 15 27 69 51 / M: +32 486 836 198
More information about the Kerberos
mailing list