MIT Kerberos + Windows 2K3 AD Kerberos Cross-Realm TGT Issue usingSSPI
Jason D. McCormick
jasonmc at sei.cmu.edu
Mon Apr 20 17:20:00 EDT 2009
> On the trust problem, by default, Windows clients rely on the
> Active Directory to do the host-to-realm mappings. Do you have
> a top-level-name forward configured on the two-way external
> trust in AD? These are done automatically for Windows forest
> trusts, but not always for external trusts.
>
> (Trust needs to be forest transitive)
> Netdom trust AD.EXAMPLE2.COM /domain:EXAMPLE1.COM
> /AddTLN:EXAMPLE1.COM
You can only do this operation with the top-level forest root and
based on reading, we didn't think it would do anything. We went ahead
and defined a two-way external trust for AD-ROOT.EXAMPLE2.COM <->
EXAMPLE1.COM and added this trust type and it didn't have any affect.
Is there any additional documentation you're aware of that has
configuration directives that my force a trust at non-forest-level
domains?
- Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6321 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090420/d7dcfe93/attachment.bin
More information about the Kerberos
mailing list