Kerberos authetication against multiple Windows Domains

Earl, Kevan C Kevan.Earl at astrazeneca.com
Wed Mar 25 06:20:33 EDT 2009


Hello Markus,

Thank you for this advice.  I shall try out your suggestion.

When I run kinit -V us_domain_uid at EU.COMPANY.NET I get the message:

kinit(v5): Client not found in Kerberos database while getting initial credentials

while kinit -V eu_domain_uid at EU.COMPANY.NET prompts for password.

I understood that there were trusts between the domains, but this looks like there isn't.

Regards,
Kevan Earl



--------------------------------------------------------------------------
AstraZeneca UK Limited is a company incorporated in England and Wales with registered number: 03674842 and a registered office at 15 Stanhope Gate, London W1K 1LN.
Confidentiality Notice: This message is private and may contain confidential, proprietary and legally privileged information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorised use or disclosure of the contents of this message is not permitted and may be unlawful.
Disclaimer: Email messages may be subject to delays, interception, non-delivery and unauthorised alterations. Therefore, information expressed in this message is not given or endorsed by AstraZeneca UK Limited unless otherwise notified by an authorised representative independent of this message. No contractual relationship is created by this message by any person unless specifically indicated by agreement in writing other than email.
Monitoring: AstraZeneca UK Limited may monitor email traffic data and content for the purposes of the prevention and detection of crime, ensuring the security of our computer systems and checking Compliance with our Code of Conduct and Policies.
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
Behalf Of Markus Moeller
Sent: 25 March 2009 00:04
To: kerberos at mit.edu
Subject: Re: Kerberos authetication against multiple Windows Domains



"Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message 
news:3154FEBCFB92804DA39A2560E17183760341FE80 at ukaprdembx02.rd.astrazeneca.net...
> Hello,
>
> I'm after some advice on how to configure Kerberos v5 to authenticate 
> users from different Windows domains to the same Apache hosted 
> application.  Is this possible?  If so, is there a simple guide on what 
> needs to be done in order to achieve it that can be shared with me?
>
> I have Kerberos v5 installed with a Kerberos-capable version of Apache on 
> AIX 5.3.
> I have had a keytab file generated in the Windows "EU" domain, and have 
> configured the server so the application authenticates users from the "EU" 
> domain.
>
> /etc/krb5.conf is similar to:
>
> [libdefaults]
>        default_realm = EU.COMPANY.NET
>
> [realms]
>        EU.COMPANY.NET = {
>                kdc = eudc01.eu.company.net
>                admin_server = eudc01.eu.company.net
>                default_domain = eu.company.net
>                }
>
> [domain_realm]
>        .svr_domain.company.net = EU.COMPANY.NET
>        svr_domain.company.net = EU.COMPANY.NET
>
> What do I need to do in order to also authenticate users from the 
> companies "US" domain, which is controlled by separate domain 
> controller(s), to the application?
>

If the domains have a trust you son't need to do anything. If they don't 
have trust then you need to create a second keytab entry for the host in the 
US DC with a sceond DNS name.

e.g. In the EU domain the server is server.eu.company.net with a key 
HTTP/server.eu.company.net at EU.COMPANY.NET in eudc01 and in the US domain the 
sever is server.us.company.net with a key 
HTTP/server.us.company.net at US.COMPANY.NET in usdc01.

Merge both keys in one keytab for apache and configure the apache kerbereos 
module to accept all names (I think it is KrbServiceName Any  in 
mod-auth-kerb)


> Any help anyone can give me would be very greatfully received.
>
> Regards,
> Kevan Earl
>

Regards
Markus
>
> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with 
> registered number: 03674842 and a registered office at 15 Stanhope Gate, 
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain 
> confidential, proprietary and legally privileged information. If you have 
> received this message in error, please notify us and remove it from your 
> system and note that you must not copy, distribute or take any action in 
> reliance on it. Any unauthorised use or disclosure of the contents of this 
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception, 
> non-delivery and unauthorised alterations. Therefore, information 
> expressed in this message is not given or endorsed by AstraZeneca UK 
> Limited unless otherwise notified by an authorised representative 
> independent of this message. No contractual relationship is created by 
> this message by any person unless specifically indicated by agreement in 
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and 
> content for the purposes of the prevention and detection of crime, 
> ensuring the security of our computer systems and checking Compliance with 
> our Code of Conduct and Policies.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list