problem with the cross-realm, any help?

Douglas E. Engert deengert at anl.gov
Wed Aug 25 10:22:33 EDT 2010



On 8/25/2010 4:46 AM, c f wrote:
> *Hi Ross,*
>
> On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A<rwilper at stanford.edu>wrote:
>
>> You mention allowing the DES enctypes on the Windows 7 box? Is that the
>> only common enctype available between the MIT realm and Windows? (AES256,
>> AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
>>
>> I have all these enctypes enabled in fact.
>
>
>> If so, you will need to have DES enabled on the domain controller also.
>> This is most easily done (for all machines) using a group policy
>>
>
>> "Network Security: Configure Encryption types allowed for Kerberos"
>>
>
> *I have not found this group policy in a Windows Server 2008.*
>
>
>
>> Outbound trust should be the correct direction
>> It appears that you have altSecurityIdentities set on the domain user
>> account
>> Check the time on the DCs too.
>>
>
> *Yes I linked every AD user to a Mit Keberos principle manually, by the
> "name mapping" settings in AD. I think that's what you mean
> altSecurityIdentities.( I'm still new in this domain )
>
> I have a ntp server, and I've checked the time on all the servers and
> clients.
>
> **Nothings works so far.*
> *With Wireshark on the windows 7 box, I've got some traffic:
> source: windows 7 box,  destination: mit kdc, info : as-req
> source: mit kdc,  destination: windows 7 box, info : as-rep
> source: windows 7 box,  destination: mit kdc, info : tgs-req
> source: mit kdc,  destination: windows 7 box, info : tgs-rep

Can you look at the Wireshark tgs-req and tgs-rep and see what service
principal the workstation is requesting?

If its for host/<w7 workstation>@<mit realm> the W7 workstation thinks
it is a member of the MIT realm, and not joined to the AD domain.

If its for krbtgt/<ad domain>@<mit realm> then its a cross realm
ticket, and there is something else going on.

With the cross realm, the W7 workstation needs to be joined to the AD
domain, and user is in the MIT realm.

When you try to login, do you specify user@<mit realm>?

What is the output of ksetup /dumpstate  With all your testing it
might be in a strange state.



>
> I don't see any traffice between my windows 7 box and the active directory.
> That seems not so normal.
>
> Thanks.
>
> Claudia
>
> *
>
>>
>> -Ross
>>
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
>> Of c f
>> Sent: Tuesday, August 24, 2010 3:06 AM
>> To: kerberos at mit.edu
>> Subject: problem with the cross-realm, any help?
>>
>> Hello,
>>
>> I need some help with the cross-realm.
>>
>> I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and
>> a
>> Windows 7 (in the windows domain) as a client for test.
>> What I want to do is: to log onto Windows 7 with the MIT kerberos accouts.
>>
>> I've created and configured:
>> -- on MIT kdc, adding the "krbtgt/AD.MYDOMAIN.COM at MYDOMAIN.COM", and
>> "krbtgt/MYDOMAIN.COM at AD.MYDOMAIN.COM" principles;
>> -- on Windows2008, creating the trust relationship with the MIT kdc (Direct
>> Outbound)
>> -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm
>> ......" to add the mit kerberos realm;
>> -- on Windows 7, enabling the DES encryption, but not on the 2008 server,
>> as
>> I could not find a way to do that;
>> -- on Windows server 2008, create the same users as in MIT kdc, and mapping
>> them to Mit kerberos principles;
>>
>> The problem is, I cannot log onto Windows 7 by using the Mit kerberos's
>> username and password.
>> I've got these 2 types of error messages : sometimes "user name and
>> password
>> is incorrect", and sometimes"the trust relationship between this
>> workstation
>> and the primary domain failed".
>> On Mit kdc's log file, there is the message
>> "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3
>> 1 24 -135}) ...: ISSUE:
>> authtime 1282578442, etypes {rep=23 tkt=16 ses=23},
>> userfotest at MYDOMAIN.COMfor krbtgt/
>> AD.MYDOMAIN.COM at MYDOMAIN.COM".
>> And in Active Directory, I see nothing wrong, neither the Windows 7.
>>
>> However, if I don't add my windows 7 into Active Directory, but the Mit
>> Kerberos Domain, everything works. I can authenticate the standalone
>> workstaion (Windows 7) against Mit Kerberos without problem (by activing
>> the
>> guest account on Windows 7, and maypping * to the guest account ).
>>
>> I've been blocked for weeks on this. Does anyone have any ideas to help me?
>>
>> Thank you!
>>
>> Claudia
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list