Cross realm authentication
Naveen bn
naveen.bn at samsung.com
Fri Jan 7 06:03:18 EST 2011
<HTML><HEAD><TITLE>Samsung Enterprise Portal mySingle</TITLE>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<STYLE id=mysingle_style type=text/css>P {
MARGIN-TOP: 5px; FONT-FAMILY: Arial, arial; MARGIN-BOTTOM: 5px; FONT-SIZE: 9pt
}
TD {
MARGIN-TOP: 5px; FONT-FAMILY: Arial, arial; MARGIN-BOTTOM: 5px; FONT-SIZE: 9pt
}
LI {
MARGIN-TOP: 5px; FONT-FAMILY: Arial, arial; MARGIN-BOTTOM: 5px; FONT-SIZE: 9pt
}
BODY {
LINE-HEIGHT: 1.4; MARGIN: 10px; FONT-FAMILY: Arial, arial; FONT-SIZE: 9pt
}
</STYLE>
<META name=GENERATOR content=ActiveSquare></HEAD>
<BODY>
<P>Hi Mark,</P>
<P><STRONG>Thank you for your timely response and explaination.</STRONG></P>
<P>Also i will be good if you please share some links/pdf on kerberos cross realm authentication</P>
<P>w.r.t. requests and implementation details like the requests going out form client .</P>
<P> </P>
<P>Regards</P>
<P>Naveen</P>
<P>------- <B>Original Message</B> -------</P>
<P><B>Sender</B> : Mark Pr�hl<mark at mproehl.net></P>
<P><B>Date</B> : Jan 07, 2011 19:33 (GMT+09:00)</P>
<P><B>Title</B> : Re: Cross realm authentication</P>
<P> </P>On 01/06/2011 05:02 AM, krbmit siso wrote:<BR>> Hi Mark,<BR>><BR>> Please find the attached capture for cross realm setup . I did not <BR>> understand why do you require<BR>> 2 TGS-REQ going from client , please shed some light on the same .<BR><BR>the following sketch shows the principals involved in cross realm <BR>authentication:<BR><BR> cient realm-1 KDC<BR> client at REALM1 -> krbtgt/REALM1 at REALM1<BR><BR> ^<BR> |<BR> TRUST<BR> krbtgt/REALM2 at REALM1<BR> krbtgt/REALM1 at REALM2<BR> |<BR> v<BR><BR> service <- realm-2KDC<BR> service at REALM2 krbtgt/REALM2 at REALM2<BR><BR><BR>cross realm authentication usually works this way (scenario-1):<BR><BR>step 1: client requests a TGT in his realm: AS-REQ/AS-REP for <BR>krbtgt/REALM1 at REALM1<BR>step 2: client decides that service belongs to REALM2 (by client <BR>configuration, dns topology or kdc referrals)<BR>step 3: client request a cross-realm TGT for REALM2 by TGS-REQ to <BR>realm-1 KDC: krbtgt/REALM2 at REALM1<BR>step 4: client request a service ticket for service at REALM2 by TGS-REQ to <BR>realm-2 KDC. clients presents krbtgt/REALM2 at REALM1<BR><BR>that is why two TGS request are sent from a client in a typical scenario.<BR><BR>your cross realm scenario (from wireshark capture) looks this way <BR>(scenario-2):<BR><BR>step 1: client request a cross-realm TGT for REALM2 by AS-REQ to realm-1 <BR>KDC for krbtgt/REALM2 at REALM1<BR>step 2: client request a service Ticket for service at REALM2 by TGS-REQ to <BR>realm-2 KDC. clients presents krbtgt/REALM2 at REALM1<BR><BR>that should work as well but is not the usual way.<BR><BR>The problem could be caused by your client or the trust setup between <BR>the two windows domains.<BR>To test the trust setup you should simulate the client by using kinit <BR>and kvno from MIT Kerberos:<BR><BR>simulate scenario-1: kinit client at REALM1; kvno service at REALM2<BR>simulate scenario-2: kinit -S krbtgt/REALM2 at REALM1 client at REALM1; kvno <BR>service at REALM2<BR><BR>your krb5.conf or DNS SRV records should provide the configuration for <BR>both realms.<BR><BR>if that works then your trust setup is ok.<BR><BR>________________________________________________<BR>Kerberos mailing list Kerberos at mit.edu<BR>https://mailman.mit.edu/mailman/listinfo/kerberos<BR>
<P> </P>
<P> </P><!--SP:naveen.bn--><!--naveen.bn:EP-->
<P> </P>
<TABLE id=confidentialsignimg>
<TBODY>
<TR>
<TD NAMO_LOCK>
<P><IMG border=0 src="cid:EM6S04A24XEV at namo.co.kr" width=520></P></TD></TR></TBODY></TABLE></BODY></HTML><img src='http://ext.samsung.net/mailcheck/SeenTimeChecker?do=819bad59c7908697b2d7709a7a17502e1340377536ec945f4b240a564ff6e9cb7c86263f3d414723d2cb7c2a93c43c11a728c55b39cc59eacf878f9a26ce15a0' border=0 width=0 height=0 style='display:none'>
More information about the Kerberos
mailing list