cross-realm authentication problem

Christopher D. Clausen cclausen at
Thu May 28 11:07:52 EDT 2009

Bjoern Tore Sund <bjorn.sund at> wrote:
> Any ideas where I need to look to figure this one out?  It looks as if
> the RHEL5 server somehow fails to inform the windows client that it
> needs to get a TGT for UNIX.UIB.NO, but why then does the RHEL4
> server provide this information?

Kerberos works the other way.  The CLIENT needs to know what realm the 
server is in.  The server doesn't really inform the client of its realm.

Windows doesn't have a krb5.conf file for SSPI creds.  You probably want 
to look into trying to use the netdom.exe trust command (possibly with 
/addTLN or AddTLNEX) to add the domain to realm mappings for Windows 
clients to use.  Your KDC may need to support referrals for this to 

What are the URLs / hostnames of the two different web servers?  It is 
possible that mappings exist for one name and not the other domain?

Or, can you downgrade to the older krb5 libs on your RHEL5 web server to 
see if that gets things working?


I'd consider why you have multiple realms in the first place.  It would 
be much easier to just use Active Directory as one single realm.


More information about the Kerberos mailing list