MIT Kerberos + Windows 2K3 AD Kerberos Cross-Realm TGT Issue usingSSPI

Jason D. McCormick jasonmc at sei.cmu.edu
Mon Apr 20 17:20:00 EDT 2009


> On the trust problem, by default, Windows clients rely on the
> Active Directory to do the host-to-realm mappings. Do you have 
> a top-level-name forward configured on the two-way external 
> trust in AD? These are done automatically for Windows forest 
> trusts, but not always for external trusts.
> 
> (Trust needs to be forest transitive)
> Netdom trust AD.EXAMPLE2.COM /domain:EXAMPLE1.COM
> /AddTLN:EXAMPLE1.COM

You can only do this operation with the top-level forest root and
based on reading, we didn't think it would do anything.  We went ahead
and defined a two-way external trust for AD-ROOT.EXAMPLE2.COM <->
EXAMPLE1.COM and added this trust type and it didn't have any affect.
Is there any additional documentation you're aware of that has
configuration directives that my force a trust at non-forest-level
domains? 

- Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6321 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090420/d7dcfe93/attachment.bin


More information about the Kerberos mailing list