Trust between AD and MIT Kerberos
Mikkel Kruse Johnsen
mikkel at linet.dk
Tue Sep 22 04:53:40 EDT 2009
Hi All
I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT
Kerberos (CBS.DK).
On the Windows machines I have:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK
KdcNames: kdc1.cbs.dk kdc2.cbs.dk
Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in
Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens.
In my log file "/var/log/krb5kdc.log" I could see that a lot of request
came from windows machines.
Now the IT department created a UPN suffix on the AD called CBS.DK and
SSO stopped working on Windows clients. The request in
"/var/log/krb5kdc.log" stopped.
We removing the UPN suffix from the AD, but Windows clients is not
working and the request to "/var/log/krb5kdc.log" do not happen anymore.
Everything is fine on Linux.
It seems that Windows clients no longer uses the "HKLM\SYSTEM
\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.
Have been searching the net for month now. Anyone has any ideas what is
wrong ?
Is there a way to map domain to realms in Windows like [domain_realm] in
krb5.conf ?
Med Venlig Hilsen / Kind Regards
Mikkel Kruse
Johnsen
Adm.Dir.
Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark
Work: +45
21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
Professional
Profile
Healthcare
Network
Consultant
More information about the Kerberos
mailing list