problem with the cross-realm, any help?

[c f]

Hello,

I need some help with the cross-realm.

I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and a
Windows 7 (in the windows domain) as a client for test.
What I want to do is: to log onto Windows 7 with the MIT kerberos accouts.

I've created and configured:
-- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM", and
"krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM" principles;
-- on Windows2008, creating the trust relationship with the MIT kdc (Direct
Outbound)
-- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
......" to add the mit kerberos realm;
-- on Windows 7, enabling the DES encryption, but not on the 2008 server, as
I could not find a way to do that;
-- on Windows server 2008, create the same users as in MIT kdc, and mapping
them to Mit kerberos principles;

The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
username and password.
I've got these 2 types of error messages : sometimes "user name and password
is incorrect", and sometimes"the trust relationship between this workstation
and the primary domain failed".
On Mit kdc's log file, there is the message
"mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
1 24 -135}) ...: ISSUE:
authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
userfotest at MYDOMAIN.COMfor krbtgt/
AD.MYDOMAIN.COM at MYDOMAIN.COM".
And in Active Directory, I see nothing wrong, neither the Windows 7.

However, if I don't add my windows 7 into Active Directory, but the Mit
Kerberos Domain, everything works. I can authenticate the standalone
workstaion (Windows 7) against Mit Kerberos without problem (by activing the
guest account on Windows 7, and maypping * to the guest account ).

I've been blocked for weeks on this. Does anyone have any ideas to help me?

Thank you!

Claudia