Fwd: Cross realm authentication
krbmit siso
krbmit at gmail.com
Fri Jan 7 00:28:52 EST 2011
Hi Kevin
Please help me to solve the cross realm set up
Please find the attached captures.
Regards
Naveen
---------- Forwarded message ----------
From: krbmit siso <krbmit at gmail.com>
Date: Thu, Jan 6, 2011 at 9:32 AM
Subject: Re: Cross realm authentication
To: mark at mproehl.net
Cc: kerberos at mit.edu, sudhakar at samsung.com
Hi Mark,
Please find the attached capture for cross realm setup . I did not
understand why do you require
2 TGS-REQ going from client , please shed some light on the same .
Thanks and Regards
Naveen
On Wed, Jan 5, 2011 at 7:16 PM, Mark Pröhl <mark at mproehl.net> wrote:
> Can you do a capture of the kerberos network traffic (port 88) with
> wireshark on the client machine? that should include all kerberos
> exchanges:
>
> client -> AS-REQ --> realm1 kdc
> client <- AS-REP <-- realm1 kdc
> client -> TGS-REQ -> realm1 kdc
> client <- TGS-REP <- realm1 kdc
> client -> TGS-REQ -> realm2 kdc
> client <- KDC-ERR <- realm2 kdc
>
>
> Can you provide more information about the client that does the cross
> realm request (Windows, MIT Kerberos, Java, ...)
>
> On 01/05/2011 10:23 AM, krbmit siso wrote:
>
> Hi Mark,
> Thanks fo rthe reply and interest.
> The Client in realm1 sends AS-REQ to realm1 kdc with following info
> *
> AS-REQ info*
> Client Name (Enterprise Name): user_1 at realm1.com ( I am using domain
> itself as realm )
> Realm: realm1.com
>
> Server Name (Principal): krbtgt/realm2.com
>
> I have added 2 way trust in realm1 Active Directory Domains and trusts of
> windows 2003 server.
> I have also added 2 way trust in realm2 Active Directory Domains and trusts
> of windows 2008 server
> but the TRUST is no visible.
>
> *Server Principal Names in TGS-REQ.*
> Padata field -> Contents in the TICKET which is visible
> Tkt-vno: 5
> Realm: realm1.com
> Server Name (Principal): krbtgt/realm2.com
> Kdc-Req-body->
> Realm: REALM2.COM <http://realm2.com/>
> Server Name (Principal): ldap/
> win2003.realm2.com <http://win2003dpdnic.realm2.com/>
>
> Please revert for any other info
> Regards
> Naveen
>
> On Wed, Jan 5, 2011 at 1:29 PM, Mark Pröhl <mark at mproehl.net> wrote:
>
>> Hi,
>>
>> what is the requested service principal name in the tgs request to
>> relam2 kdc?
>>
>> Can you provide more information about the client that does the cross
>> realm request (Windows, MIT Kerberos, Java, ...)
>>
>> Regards,
>>
>> Mark Pröhl
>>
>> On 01/05/2011 06:47 AM, krbmit siso wrote:
>> > Hi All,
>> >
>> > Please guide me to get cross realm authentication working under windows
>> 2008
>> > server environment.
>> > I have set up two domain with realm1 and realm 2 in 2 different windows
>> > servers. I have added a one
>> > way trust at realm1 for realm2. The client is in realm1 wants to access
>> a
>> > server at realm2 . I got the
>> > AS-REP with referral ticket for krbtgt/realm2 at realm1 from realm1 KDC
>> > server , Now the problem is
>> > the I am sending TGS-REQ to KDC server of realm2 by submitting referral
>> TGT
>> > , but the server returns
>> > with a KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN even though the
>> principal
>> > name is the same
>> > as the name with working condition in single realm setup.
>> > In Info in TGS req.
>> >
>> > Padata field ->
>> > Tkt-vno: 5
>> > Realm: realm1.com
>> > Server Name (Principal): krbtgt/
>> realm2.com
>> > Kdc-Req-body->
>> > Realm: REALM2.COM
>> > Server Name (Principal): ldap/
>> win2003dpdnic.realm2.com
>> >
>> >
>> > Please guide me on identifying and resolve the problem for cross realm
>> > authentication.
>> >
>> >
>> >
>> > Thanks and Regards
>> > Naveen
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
More information about the Kerberos
mailing list