problem with the cross-realm, any help?

Douglas E. Engert deengert at anl.gov
Tue Aug 24 10:31:14 EDT 2010



On 8/24/2010 5:05 AM, c f wrote:
> Hello,
>
> I need some help with the cross-realm.
>
> I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and a
> Windows 7 (in the windows domain) as a client for test.
> What I want to do is: to log onto Windows 7 with the MIT kerberos accouts.
>
> I've created and configured:
> -- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM", and
> "krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM" principles;
> -- on Windows2008, creating the trust relationship with the MIT kdc (Direct
> Outbound)

Are you sure this it the correct direction?

You will also need to set in each account in AD that authentication by
an external Kerberos realm is acceptable for this account. (In this case AD is
trusting the external Kerberos to do the authentication, but the workstation's
domain still need to do the authorization. A PAC is then added to the service
ticket sent to the workstation.

See:
http://technet.microsoft.com/en-us/library/cc757621(WS.10).aspx

> -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
> ......" to add the mit kerberos realm;
> -- on Windows 7, enabling the DES encryption, but not on the 2008 server, as
> I could not find a way to do that;

(You don't need (and should not) use DES at all. All the newer Kerberos and
2008 support AES, and Kerberos and Windows all support arcfour.)

> -- on Windows server 2008, create the same users as in MIT kdc, and mapping
> them to Mit kerberos principles;
>
> The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
> username and password.

Sounds like AD will not accept the cross realm ticket, because the trust is the
wrong direction, or the account is not flagged as accepting Kerberos authentication
form an external realm.




Another way to do some testing is with the runas.exe command. Using the /netonly
gets Kerberos tickets. Without that option, the tickets must also contain the PAC
provided by the DC of the workstation's domain. Wireshark can then be used to watch
the Kerberos traffic between the workstion and the KDC and DC.


Including any KRB5-ERROR message sent by AD.

> I've got these 2 types of error messages : sometimes "user name and password
> is incorrect", and sometimes"the trust relationship between this workstation
> and the primary domain failed".
> On Mit kdc's log file, there is the message
> "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
> 1 24 -135}) ...: ISSUE:
> authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
> userfotest at MYDOMAIN.COMfor krbtgt/
> AD.MYDOMAIN.COM at MYDOMAIN.COM".
> And in Active Directory, I see nothing wrong, neither the Windows 7.
>
> However, if I don't add my windows 7 into Active Directory, but the Mit
> Kerberos Domain, everything works. I can authenticate the standalone
> workstaion (Windows 7) against Mit Kerberos without problem (by activing the
> guest account on Windows 7, and maypping * to the guest account ).
>
> I've been blocked for weeks on this. Does anyone have any ideas to help me?
>
> Thank you!
>
> Claudia
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list