cross domain Integrated Windows Auth (aka SPNEGO)
Tim Alsop
Tim.Alsop at CyberSafe.com
Tue Jun 16 06:05:30 EDT 2009
Hello again.
I only received one response to my email below, so I wondered if anybody else has any experience of this setup and how I can solve it ?
The response I received mentioned using netdom with /addtln parameter, but this will only work when AD and non-AD realm are involved. In our case there is only AD being used and not MIT KDC or Heimdal KDC.
Thanks,
Tim
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tim Alsop
Sent: 04 June 2009 20:01
To: kerberos at mit.edu
Subject: cross domain Integrated Windows Auth (aka SPNEGO)
Hi,
One of our customers has a problem with Integrated Windows Authentication in IE browser. They have two AD domains which are part of different forests, so external trust is used. The workstation is joined to domain1 and user logs onto this domain, then opens browser to access web server which is on a server joined to domain2. This is not working, but if workstation on domain2 is used the logon works fine.
>From wireshark trace on workstation we can see a TGS-REQ being sent to domain1 for the HTTP/<hostname of webserver>@<DOMAIN1> and of course this principal is not found in domain1 so principal not found is returned - the browser then uses NTLM and attempts to authenticate, but the web server we are using does not support NTLM.
Is there any way we can configure workstation so that it knows which domain the webserver is in ? We found a section in registry which looks like it might be the correct place to configure this, but it didn't help :(
Thanks in advance for your help,
Tim
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list