Cross realm authentication

Mark Pröhl mark at
Wed Jan 5 02:59:04 EST 2011


what is the requested service principal name in the tgs request to 
relam2 kdc?

Can you provide more information about the client that does the cross 
realm request (Windows, MIT Kerberos, Java, ...)


Mark Pröhl

On 01/05/2011 06:47 AM, krbmit siso wrote:
> Hi All,
> Please guide me to get cross realm authentication working under windows 2008
> server environment.
> I have set up two domain with realm1 and realm 2 in 2 different windows
> servers. I have added a one
> way trust at realm1 for realm2. The client is in realm1 wants to access a
> server at realm2 . I got the
> AS-REP with referral ticket for  krbtgt/realm2 at realm1  from realm1 KDC
> server , Now the problem is
> the  I am sending TGS-REQ to KDC server of realm2 by submitting referral TGT
> , but the server returns
> with a KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN even though the principal
> name is the same
> as the name with working condition in single realm setup.
> In Info in TGS req.
> Padata field ->
>                                Tkt-vno: 5
>                                Realm:
>                               Server Name (Principal): krbtgt/
>   Kdc-Req-body->
>                              Realm: REALM2.COM
>                              Server Name (Principal): ldap/
> Please guide me on identifying and resolve the problem for cross realm
> authentication.
> Thanks and Regards
> Naveen
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list