Kerberos authetication against multiple Windows Domains

Earl, Kevan C Kevan.Earl at astrazeneca.com
Tue Mar 24 11:07:56 EDT 2009


Hello,

I'm after some advice on how to configure Kerberos v5 to authenticate users from different Windows domains to the same Apache hosted application.  Is this possible?  If so, is there a simple guide on what needs to be done in order to achieve it that can be shared with me?

I have Kerberos v5 installed with a Kerberos-capable version of Apache on AIX 5.3.
I have had a keytab file generated in the Windows "EU" domain, and have configured the server so the application authenticates users from the "EU" domain.

/etc/krb5.conf is similar to:

[libdefaults]
        default_realm = EU.COMPANY.NET

[realms]
        EU.COMPANY.NET = {
                kdc = eudc01.eu.company.net
                admin_server = eudc01.eu.company.net
                default_domain = eu.company.net
                }

[domain_realm]
        .svr_domain.company.net = EU.COMPANY.NET
        svr_domain.company.net = EU.COMPANY.NET
 
What do I need to do in order to also authenticate users from the companies "US" domain, which is controlled by separate domain controller(s), to the application?

Any help anyone can give me would be very greatfully received.

Regards,
Kevan Earl


--------------------------------------------------------------------------
AstraZeneca UK Limited is a company incorporated in England and Wales with registered number: 03674842 and a registered office at 15 Stanhope Gate, London W1K 1LN.
Confidentiality Notice: This message is private and may contain confidential, proprietary and legally privileged information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorised use or disclosure of the contents of this message is not permitted and may be unlawful.
Disclaimer: Email messages may be subject to delays, interception, non-delivery and unauthorised alterations. Therefore, information expressed in this message is not given or endorsed by AstraZeneca UK Limited unless otherwise notified by an authorised representative independent of this message. No contractual relationship is created by this message by any person unless specifically indicated by agreement in writing other than email.
Monitoring: AstraZeneca UK Limited may monitor email traffic data and content for the purposes of the prevention and detection of crime, ensuring the security of our computer systems and checking Compliance with our Code of Conduct and Policies.




More information about the Kerberos mailing list