Kerberos cross-realm with AD

Mon Feb 7 17:36:48 EST 2011

Hi

Thank you all for your answers.

At this stage I'm only interested to pass the authentication phase ;
for authorisation I have a plan already (using ldap)

On 8 February 2011 07:45, Douglas E. Engert <deengert at anl.gov> wrote:

>
> Is you PC Windows? Is it in a domain? If so which domain.

It is a windows PC, however it's not on any domain.

> Did you get the ticket using the Windows kerberos, or some other kerberos?

Using MIT Kerberos for PCs.

>
> Is the browser IE or some other browser using non-windows Kerberos?

That's using Firefox.

I get the same behaviour connecting from a mac , also with Firefox

However, someone who replied directly to me gave me a great hint and
suggested that the MIT kdc may have been configured to use AES by
default ; and sure enough:
kadmin.local:  getprinc krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
Principal: krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
Expiration date: [never]
Last password change: Mon Feb 07 15:57:45 EST 2011
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 07 15:57:45 EST 2011 (root/admin at M.DOMAIN.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

So in Windows Sever, domain & trust , I checked the "the other domain
supports Kerberos AES encryption"

and now when connecting I see on the M.DOMAIN.COM kdc:
Feb 08 09:02:10 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 60.242.40.141: ISSUE: authtime 1297115394, etypes
{rep=23 tkt=16 ses=18}, jean-yves.avenard at MEL.DOMAIN.COM for
HTTP/intranet.domain.com at M.DOMAIN.COM

And no more Decrypt integrity check failed

Now if fails somewhere else ; and on the web server I see:
[Tue Feb 08 09:13:29 2011] [error] [client 1.2.3.4] gss_acquire_cred()
failed: Unspecified GSS failure.  Minor code may provide more
information (, No key table entry found for
HTTP/server4-2.mel.domain.com at MEL.DOMAIN.COM)

So it would seem the keytab on the web server running mod_auth_kerb
will also need a realm created on the new MEL.DOMAIN.COM kdc ..

Jean-Yves