problem with the cross-realm, any help?
Wilper, Ross A
rwilper at stanford.edu
Tue Aug 24 11:39:05 EDT 2010
You mention allowing the DES enctypes on the Windows 7 box? Is that the only common enctype available between the MIT realm and Windows? (AES256, AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
If so, you will need to have DES enabled on the domain controller also. This is most easily done (for all machines) using a group policy
"Network Security: Configure Encryption types allowed for Kerberos"
Outbound trust should be the correct direction
It appears that you have altSecurityIdentities set on the domain user account
Check the time on the DCs too.
-Ross
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of c f
Sent: Tuesday, August 24, 2010 3:06 AM
To: kerberos at mit.edu
Subject: problem with the cross-realm, any help?
Hello,
I need some help with the cross-realm.
I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and a
Windows 7 (in the windows domain) as a client for test.
What I want to do is: to log onto Windows 7 with the MIT kerberos accouts.
I've created and configured:
-- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM", and
"krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM" principles;
-- on Windows2008, creating the trust relationship with the MIT kdc (Direct
Outbound)
-- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
......" to add the mit kerberos realm;
-- on Windows 7, enabling the DES encryption, but not on the 2008 server, as
I could not find a way to do that;
-- on Windows server 2008, create the same users as in MIT kdc, and mapping
them to Mit kerberos principles;
The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
username and password.
I've got these 2 types of error messages : sometimes "user name and password
is incorrect", and sometimes"the trust relationship between this workstation
and the primary domain failed".
On Mit kdc's log file, there is the message
"mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
1 24 -135}) ...: ISSUE:
authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
userfotest at MYDOMAIN.COMfor krbtgt/
AD.MYDOMAIN.COM at MYDOMAIN.COM".
And in Active Directory, I see nothing wrong, neither the Windows 7.
However, if I don't add my windows 7 into Active Directory, but the Mit
Kerberos Domain, everything works. I can authenticate the standalone
workstaion (Windows 7) against Mit Kerberos without problem (by activing the
guest account on Windows 7, and maypping * to the guest account ).
I've been blocked for weeks on this. Does anyone have any ideas to help me?
Thank you!
Claudia
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list