Cross realm authentication

Mark Pröhl mark at mproehl.net
Wed Jan 5 08:46:41 EST 2011


Can you do a capture of the kerberos network traffic (port 88) with
wireshark on the client machine? that should include all kerberos
exchanges:

client -> AS-REQ --> realm1 kdc
client <- AS-REP <-- realm1 kdc
client -> TGS-REQ -> realm1 kdc
client <- TGS-REP <- realm1 kdc
client -> TGS-REQ -> realm2 kdc
client <- KDC-ERR <- realm2 kdc

Can you provide more information about the client that does the cross
realm request (Windows, MIT Kerberos, Java, ...)

On 01/05/2011 10:23 AM, krbmit siso wrote:
> Hi Mark,
> Thanks fo rthe reply and interest.
>  The Client in realm1 sends AS-REQ to realm1 kdc  with following info
> *
> AS-REQ info*
> Client Name (Enterprise Name): user_1 at realm1.com 
> <mailto:user_1 at realm1.com> ( I am using domain itself as realm )
>                                                    Realm: realm1.com 
> <http://realm1.com>
>
> Server Name (Principal): krbtgt/realm2.com <http://realm2.com>
>
> I have added 2 way trust in realm1 Active Directory Domains and trusts 
> of windows 2003 server.
> I have also added 2 way trust in realm2 Active Directory Domains and 
> trusts of windows 2008 server
> but the TRUST is no visible.
>
> *Server Principal Names in TGS-REQ.*
>    Padata field ->   Contents in the TICKET which is visible
>                                 Tkt-vno: 5
>                                 Realm: realm1.com <http://realm1.com/>
>                                Server Name (Principal): 
> krbtgt/realm2.com <http://realm2.com/>
>    Kdc-Req-body->
>                               Realm: REALM2.COM <http://realm2.com/>
>                                Server Name (Principal): 
> ldap/win2003.realm2.com <http://win2003dpdnic.realm2.com/>
>
> Please revert for any  other info
> Regards
> Naveen
>
> On Wed, Jan 5, 2011 at 1:29 PM, Mark Pröhl <mark at mproehl.net 
> <mailto:mark at mproehl.net>> wrote:
>
>     Hi,
>
>     what is the requested service principal name in the tgs request to
>     relam2 kdc?
>
>     Can you provide more information about the client that does the cross
>     realm request (Windows, MIT Kerberos, Java, ...)
>
>     Regards,
>
>     Mark Pröhl
>
>     On 01/05/2011 06:47 AM, krbmit siso wrote:
>     > Hi All,
>     >
>     > Please guide me to get cross realm authentication working under
>     windows 2008
>     > server environment.
>     > I have set up two domain with realm1 and realm 2 in 2 different
>     windows
>     > servers. I have added a one
>     > way trust at realm1 for realm2. The client is in realm1 wants to
>     access a
>     > server at realm2 . I got the
>     > AS-REP with referral ticket for  krbtgt/realm2 at realm1  from
>     realm1 KDC
>     > server , Now the problem is
>     > the  I am sending TGS-REQ to KDC server of realm2 by submitting
>     referral TGT
>     > , but the server returns
>     > with a KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN even though
>     the principal
>     > name is the same
>     > as the name with working condition in single realm setup.
>     > In Info in TGS req.
>     >
>     > Padata field ->
>     >                                Tkt-vno: 5
>     >                                Realm: realm1.com <http://realm1.com>
>     >                               Server Name (Principal):
>     krbtgt/realm2.com <http://realm2.com>
>     >   Kdc-Req-body->
>     >                              Realm: REALM2.COM <http://REALM2.COM>
>     >                              Server Name (Principal):
>     ldap/win2003dpdnic.realm2.com <http://win2003dpdnic.realm2.com>
>     >
>     >
>     > Please guide me on identifying and resolve the problem for cross
>     realm
>     > authentication.
>     >
>     >
>     >
>     > Thanks and Regards
>     > Naveen
>     > ________________________________________________
>     > Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>     > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>     ________________________________________________
>     Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>     https://mailman.mit.edu/mailman/listinfo/kerberos
>
>




More information about the Kerberos mailing list