problem with the cross-realm, any help?

c f claudiawhf at gmail.com
Wed Aug 25 05:46:29 EDT 2010


*Hi Ross,*

On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A <rwilper at stanford.edu>wrote:

> You mention allowing the DES enctypes on the Windows 7 box? Is that the
> only common enctype available between the MIT realm and Windows? (AES256,
> AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
>
> I have all these enctypes enabled in fact.


> If so, you will need to have DES enabled on the domain controller also.
> This is most easily done (for all machines) using a group policy
>

> "Network Security: Configure Encryption types allowed for Kerberos"
>

*I have not found this group policy in a Windows Server 2008.*



> Outbound trust should be the correct direction
> It appears that you have altSecurityIdentities set on the domain user
> account
> Check the time on the DCs too.
>

*Yes I linked every AD user to a Mit Keberos principle manually, by the
"name mapping" settings in AD. I think that's what you mean
altSecurityIdentities.( I'm still new in this domain )

I have a ntp server, and I've checked the time on all the servers and
clients.

**Nothings works so far.*
*With Wireshark on the windows 7 box, I've got some traffic:
source: windows 7 box,  destination: mit kdc, info : as-req
source: mit kdc,  destination: windows 7 box, info : as-rep
source: windows 7 box,  destination: mit kdc, info : tgs-req
source: mit kdc,  destination: windows 7 box, info : tgs-rep

I don't see any traffice between my windows 7 box and the active directory.
That seems not so normal.

Thanks.

Claudia

*

>
> -Ross
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of c f
> Sent: Tuesday, August 24, 2010 3:06 AM
> To: kerberos at mit.edu
> Subject: problem with the cross-realm, any help?
>
> Hello,
>
> I need some help with the cross-realm.
>
> I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and
> a
> Windows 7 (in the windows domain) as a client for test.
> What I want to do is: to log onto Windows 7 with the MIT kerberos accouts.
>
> I've created and configured:
> -- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM", and
> "krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM" principles;
> -- on Windows2008, creating the trust relationship with the MIT kdc (Direct
> Outbound)
> -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
> ......" to add the mit kerberos realm;
> -- on Windows 7, enabling the DES encryption, but not on the 2008 server,
> as
> I could not find a way to do that;
> -- on Windows server 2008, create the same users as in MIT kdc, and mapping
> them to Mit kerberos principles;
>
> The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
> username and password.
> I've got these 2 types of error messages : sometimes "user name and
> password
> is incorrect", and sometimes"the trust relationship between this
> workstation
> and the primary domain failed".
> On Mit kdc's log file, there is the message
> "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
> 1 24 -135}) ...: ISSUE:
> authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
> userfotest at MYDOMAIN.COMfor krbtgt/
> AD.MYDOMAIN.COM at MYDOMAIN.COM".
> And in Active Directory, I see nothing wrong, neither the Windows 7.
>
> However, if I don't add my windows 7 into Active Directory, but the Mit
> Kerberos Domain, everything works. I can authenticate the standalone
> workstaion (Windows 7) against Mit Kerberos without problem (by activing
> the
> guest account on Windows 7, and maypping * to the guest account ).
>
> I've been blocked for weeks on this. Does anyone have any ideas to help me?
>
> Thank you!
>
> Claudia
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list