Cross realm between AD and MIT

Wilper, Ross A rwilper at stanford.edu
Fri Aug 26 11:22:28 EDT 2011


One thing that you did not make clear is if you defined the MIT kerberos realm in the registry of the Windows 7 machine.
(ksetup /AddKDC <realm> <kdc> or just go to HKLM\System\CurrentControlSet\LSA\Kerberos\Domains and make a key named the same as the realm and add a REG_MULTI_SZ value "KdcNames")

-Ross

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of jm130794
Sent: Friday, August 26, 2011 7:41 AM
To: Robert Wehn
Cc: kerberos at mit.edu
Subject: Re: Cross realm between AD and MIT

Hello,


I tried with another client and I have the same problem !

I can't open a session with user1 (MIT principal).

JM


2011/8/24 Robert Wehn <robert.wehn at rz.uni-augsburg.de>

> Hi JM
>
> might be a dns error.
> The Client (user) has to guess the realm to the service and often uses
> dns (for example TXT records) or some registry entry (HostTorealm) to
> determine the KRB REALM for the service (in this case the local login).
>
> Try to wireshark what DNS request a win XP Machine does, when you try to
> login using Cross Realm Trust
> Do the same on the Windows 7 Machine.
>
> When testing Cross-Realm trust several months ago I had the impression
> MS changed something there, but i didn't really finish this.
> Actually it doesn't read out TXT Records which worked fine for WinXP.
>
> If you find out something, pleas tell me.
>
> Robert.
>
> Am 24.08.2011 14:06, schrieb jm130794:
> > I used wireshark to find why my connection fails. It seems that AD
> returns
> > the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the
> server and
> > not on the client!
> >
> > Regards,
> >
> >
> > JM
> >
> > 2011/8/24 jm130794 <jm130794 at gmail.com>
> >
> >> Hello
> >>
> >> I installed a cross realm between my MIT and an AD. I can open a session
> on
> >> my AD server with a principal defined in my MIT Kerberos (eg user1).
> >>
> >> I added a Windows Seven to my Microsoft Domain. I can open a session on
> >> this station with the Domain Administrator Domain without problem.
> >>
> >> When I try to open a session with user1 (MIT principal), that doesn't
> >> work...
> >>
> >> Any idea ?
> >>
> >> Thanks,
> >>
> >> JM
> >>
> >>
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
> Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
> 86135 Augsburg .................................. Fax. (0821) 598-2028
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list