Kerberos authetication against multiple Windows Domains

Markus Moeller huaraz at
Tue Mar 24 20:04:01 EDT 2009

"Earl, Kevan C" <Kevan.Earl at> wrote in message 
news:3154FEBCFB92804DA39A2560E17183760341FE80 at
> Hello,
> I'm after some advice on how to configure Kerberos v5 to authenticate 
> users from different Windows domains to the same Apache hosted 
> application.  Is this possible?  If so, is there a simple guide on what 
> needs to be done in order to achieve it that can be shared with me?
> I have Kerberos v5 installed with a Kerberos-capable version of Apache on 
> AIX 5.3.
> I have had a keytab file generated in the Windows "EU" domain, and have 
> configured the server so the application authenticates users from the "EU" 
> domain.
> /etc/krb5.conf is similar to:
> [libdefaults]
>        default_realm = EU.COMPANY.NET
> [realms]
>        EU.COMPANY.NET = {
>                kdc =
>                admin_server =
>                default_domain =
>                }
> [domain_realm]
> What do I need to do in order to also authenticate users from the 
> companies "US" domain, which is controlled by separate domain 
> controller(s), to the application?

If the domains have a trust you son't need to do anything. If they don't 
have trust then you need to create a second keytab entry for the host in the 
US DC with a sceond DNS name.

e.g. In the EU domain the server is with a key 
HTTP/ at EU.COMPANY.NET in eudc01 and in the US domain the 
sever is with a key 
HTTP/ at US.COMPANY.NET in usdc01.

Merge both keys in one keytab for apache and configure the apache kerbereos 
module to accept all names (I think it is KrbServiceName Any  in 

> Any help anyone can give me would be very greatfully received.
> Regards,
> Kevan Earl

> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with 
> registered number: 03674842 and a registered office at 15 Stanhope Gate, 
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain 
> confidential, proprietary and legally privileged information. If you have 
> received this message in error, please notify us and remove it from your 
> system and note that you must not copy, distribute or take any action in 
> reliance on it. Any unauthorised use or disclosure of the contents of this 
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception, 
> non-delivery and unauthorised alterations. Therefore, information 
> expressed in this message is not given or endorsed by AstraZeneca UK 
> Limited unless otherwise notified by an authorised representative 
> independent of this message. No contractual relationship is created by 
> this message by any person unless specifically indicated by agreement in 
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and 
> content for the purposes of the prevention and detection of crime, 
> ensuring the security of our computer systems and checking Compliance with 
> our Code of Conduct and Policies.
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list