Cross-realm authentication Windows AD - MIT

Russ Allbery rra at stanford.edu
Mon Jun 30 12:50:41 EDT 2008


Wouter Verhelst <wouter at nixsys.be> writes:

> Now when I try to do cross-realm authentication from a Windows host, it
> does not seem to work. The steps I've taken include:
>
> - set up cross-realm authentication: I have a one-way "incoming" trust
>   relationship in Windows, and created a
>   "krbtgt/MIT-REALM at WINDOWS-REALM" principal in kadmin, with the same
>   password (a 40-character random string that was copy-pasted in both
>   cases). The trust is a "realm" trust, not a "domain trust", to account
>   for the differences between Windows "Kerberos" and the actual
>   protocol.

For what it's worth, Windows Kerberos is the actual protocol.  Except for
some issues around PKINIT, which aren't really Microsoft's fault, and the
bugs that any implementation will have, Windows Kerberos follows the
protocol just like everyone else.  The PAC is allowed for in the protocol.

Microsoft does deserve negative press for some things around how they
handled the PAC situation, but protocol compliance isn't one of them.
Microsoft Windows KDCs interoperate quite well with the rest of the
world.

> What's peculiar is that in the final two steps, the windows system
> doesn't even seem to request cross-realm kerberos tickets; it doesn't
> get a TGT, nor does it try to contact the MIT kerberos server.

I think you have a one-way trust going the wrong way for what you're
trying to do.  You need an outgoing trust from Windows to MIT for the
Windows client to get cross-realm tickets with MIT.

Why not just set up full bidirectional trust?  That's what we do and I can
confirm that once that trust is set up, what you're trying to do works
just fine; we do exactly the same thing for our central web authentication
system.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list