Cross realm authentication

krbmit siso krbmit at gmail.com
Wed Jan 5 04:23:56 EST 2011 

Hi Mark,
Thanks fo rthe reply and interest.
 The Client in realm1 sends AS-REQ to realm1 kdc  with following info
*
AS-REQ info*
Client Name (Enterprise Name): user_1 at realm1.com ( I am using domain itself
as realm )
                                                   Realm: realm1.com

Server Name (Principal): krbtgt/realm2.com

I have added 2 way trust in realm1 Active Directory Domains and trusts of
windows 2003 server.
I have also added 2 way trust in realm2 Active Directory Domains and trusts
of windows 2008 server
but the TRUST is no visible.

*Server Principal Names in TGS-REQ.*
   Padata field ->   Contents in the TICKET which is visible
                                Tkt-vno: 5
                                Realm: realm1.com
                               Server Name (Principal): krbtgt/realm2.com
   Kdc-Req-body->
                              Realm: REALM2.COM <http://realm2.com/>
                               Server Name (Principal): ldap/
win2003.realm2.com <http://win2003dpdnic.realm2.com/>

Please revert for any  other info
Regards
Naveen

On Wed, Jan 5, 2011 at 1:29 PM, Mark Pröhl <mark at mproehl.net> wrote:

> Hi,
>
> what is the requested service principal name in the tgs request to
> relam2 kdc?
>
> Can you provide more information about the client that does the cross
> realm request (Windows, MIT Kerberos, Java, ...)
>
> Regards,
>
> Mark Pröhl
>
> On 01/05/2011 06:47 AM, krbmit siso wrote:
> > Hi All,
> >
> > Please guide me to get cross realm authentication working under windows
> 2008
> > server environment.
> > I have set up two domain with realm1 and realm 2 in 2 different windows
> > servers. I have added a one
> > way trust at realm1 for realm2. The client is in realm1 wants to access a
> > server at realm2 . I got the
> > AS-REP with referral ticket for  krbtgt/realm2 at realm1  from realm1 KDC
> > server , Now the problem is
> > the  I am sending TGS-REQ to KDC server of realm2 by submitting referral
> TGT
> > , but the server returns
> > with a KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN even though the
> principal
> > name is the same
> > as the name with working condition in single realm setup.
> > In Info in TGS req.
> >
> > Padata field ->
> >                                Tkt-vno: 5
> >                                Realm: realm1.com
> >                               Server Name (Principal): krbtgt/realm2.com
> >   Kdc-Req-body->
> >                              Realm: REALM2.COM
> >                              Server Name (Principal): ldap/
> win2003dpdnic.realm2.com
> >
> >
> > Please guide me on identifying and resolve the problem for cross realm
> > authentication.
> >
> >
> >
> > Thanks and Regards
> > Naveen
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list