Cross realm between AD and MIT

Robert Wehn robert.wehn at rz.uni-augsburg.de
Sat Aug 27 11:24:22 EDT 2011 

Hello JM

If you don't do anything in the Registry then I'm quite sure there's a Group Policy which does the Job for you.

May be this doesn't work with Win7 anymore. Google for "GPO Kerberos win7", I think there were changes in the MS implementation of the settings.

Robert.

--
Robert Wehn
Hermanstraße 29
86150 Augsburg

robert.wehn at googlemail.com
robert at wehns.de

Am 26.08.2011 um 20:14 schrieb jm130794 <jm130794 at gmail.com>:

> Hello Ross,
> 
> With my first client, I added my computer in the Microsoft Domain. After that, I could log in with my account MIT. I never change anything in the registry.
> 
> Thanks,
> 
> JM
> 
> 
> 
> 2011/8/26 Wilper, Ross A <rwilper at stanford.edu>
> One thing that you did not make clear is if you defined the MIT kerberos realm in the registry of the Windows 7 machine.
> (ksetup /AddKDC <realm> <kdc> or just go to HKLM\System\CurrentControlSet\LSA\Kerberos\Domains and make a key named the same as the realm and add a REG_MULTI_SZ value "KdcNames")
> 
> -Ross
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of jm130794
> Sent: Friday, August 26, 2011 7:41 AM
> To: Robert Wehn
> Cc: kerberos at mit.edu
> Subject: Re: Cross realm between AD and MIT
> 
> Hello,
> 
> 
> I tried with another client and I have the same problem !
> 
> I can't open a session with user1 (MIT principal).
> 
> JM
> 
> 
> 2011/8/24 Robert Wehn <robert.wehn at rz.uni-augsburg.de>
> 
> > Hi JM
> >
> > might be a dns error.
> > The Client (user) has to guess the realm to the service and often uses
> > dns (for example TXT records) or some registry entry (HostTorealm) to
> > determine the KRB REALM for the service (in this case the local login).
> >
> > Try to wireshark what DNS request a win XP Machine does, when you try to
> > login using Cross Realm Trust
> > Do the same on the Windows 7 Machine.
> >
> > When testing Cross-Realm trust several months ago I had the impression
> > MS changed something there, but i didn't really finish this.
> > Actually it doesn't read out TXT Records which worked fine for WinXP.
> >
> > If you find out something, pleas tell me.
> >
> > Robert.
> >
> > Am 24.08.2011 14:06, schrieb jm130794:
> > > I used wireshark to find why my connection fails. It seems that AD
> > returns
> > > the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the
> > server and
> > > not on the client!
> > >
> > > Regards,
> > >
> > >
> > > JM
> > >
> > > 2011/8/24 jm130794 <jm130794 at gmail.com>
> > >
> > >> Hello
> > >>
> > >> I installed a cross realm between my MIT and an AD. I can open a session
> > on
> > >> my AD server with a principal defined in my MIT Kerberos (eg user1).
> > >>
> > >> I added a Windows Seven to my Microsoft Domain. I can open a session on
> > >> this station with the Domain Administrator Domain without problem.
> > >>
> > >> When I try to open a session with user1 (MIT principal), that doesn't
> > >> work...
> > >>
> > >> Any idea ?
> > >>
> > >> Thanks,
> > >>
> > >> JM
> > >>
> > >>
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > --
> >
> > Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
> > Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
> > 86135 Augsburg .................................. Fax. (0821) 598-2028
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list