MIT Kerberos cross realm authentication with Windows Active Directory

Douglas E. Engert deengert at anl.gov
Fri Nov 21 16:51:26 EST 2008 


Duffey, Blake A. wrote:
> I have encountered a peculiar problem and would like to know if anyone has
> seen it (or can duplicate it) and has a work around.
>  
> I have a cross-realm trust between a Windows 2008 Active Directory and an
> MIT Kerberos Realm.  The resources (apache, sshd, postgresql) are in the MIT
> realm and the users are in the AD (at the moment this setup cannot be
> changed). 
>  
> While my domain controller is Windows 2008, my current 'client' is a Windows
> 2003 server. 

You mean the client machine is W2003, but the Kerberos "client" is a user in AD?

>  When I boot the server and logon using a domain ID,

Do you give DOMAIN\user or user at DOMAIN or user at MITrealm or just user?
Can you try other combinations?


> the cross
> realm works great.   I log on with an AD account (which is mapped to a
> Kerberos princ in the MIT realm) 

But you said the user's were in AD.

So why did you map the princ to the MIT realm?  This would only be used
if the user's were in the MIT realm if you did not want AD to do
the Kerberos AS processing but have the user get the TGT from the MIT realm.
Are you sure you want to do the princ mapping?


>  and connect using Kerberos-aware clients
> (putty, Firefox, IE) to resources in the MIT realm. 

Which PuTTY? Is putty using the MS SSPI or the GSSAPI from MIT Kerberos
For Windows? i.e. what kerberos libs and which krb5 configuration is being
used to get the service ticket, krb5.ini or the Registry as set by ksetup?

> Doing a network
> capture, I see my client send a request for the tgt to my domain controller,
> I get the correct ticket which is then passed along, and all is well.
>  
> If I log off, and then log back on as the same user (or the screen locks,
> which on Windows clears the Kerberos cache), the cross realm does NOT work.
> (in fact, my network capture shows my client asking for
> host/bobo.mit.realm at MIT.REALM rather than the tgt). 

I assume these are obfuscated names. Does the real DNS name match the MIT realm
name? Is bobo the name of your "client" Windows 2003 server or the name of
resource machines?


  I have replicated this
> on different servers and on different AD domains.  This is a standard
> Windows 2003 server install, I have just used ksetup to set the KDC for the
> MIT realm and implemented a registry hack (see below).
>  
> If I use a Windows 2008 server as my client, it works perfectly.  The
> 'ksetup' program in Windows 2008 has a switch called 'AddHostToRealmMap'
> which does what it sounds like.  (I believe this acts like the krb5.conf
> settings under the [domain_realm] section).  This switch doesn't exist in
> the Windows 2003 version of ksetup, but MS claims I can add the registry
> keys thusly:  http://technet.microsoft.com/en-us/library/cc738673.aspx
>  
> But it doesn't work after a log off and it doesn't work after a screen lock.
> If I reboot the machine and log in, it all works again.  I am baffled by
> this behavior and, since I can't be the first person to try to implement
> this scenario, would love to hear if anyone has any insight.
>  

Does this work in an XP client machine?

> Thanks and I appreciate your time.
>  
> Blake
>  
>  
>  
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list