links for Cross realm
Douglas E. Engert
deengert at anl.gov
Mon Jan 17 11:04:14 EST 2011
On 1/17/2011 2:54 AM, krbmit siso wrote:
> Hi Douglas
> Thank you for the link .
> I have followed the same for cross realm authentication between two realms.
> Please find the attached captures .
> please guide let me know if there is any mistake in the requests send from client.
Record 6 and 7 shows a clock skew, but this is minor, as the client
reissued the request at 19 with response at 24.
The 19 record shows you are using PKINIT with you smart card, a CAC card I assume.
The client machine must be is in realm DPDNETWORKING.COM, as the initial request
19 were sent to client machine's DC.)
No cross realm is actually being done! The DPDNETWORKING.COM responded with a TGT in
The client is cac_user_1 at CAC2K8DOMAIN.COM
The Server is krbtgt/DPDNETWIRKING.COM
In records 36 and 46, the client machine tries to get tickets for
cifs/win2003dpdnic.dpdnetworking.com and smtpsvc/win2003dpdnic.dpdnetworking.com
using the TGT from 24, with client cac_user_1 at CAC2K8DOMAIN.COM
And it looks like the user account cac_user_1 is not found in the AD.
So I think the problems are related to the way you have registered or not registered
the smartcard in AD and how AD can derive the domain account to use from
In Windows 2000, the certificate had to be issued with a subjectAltName OtherName
msUPN where the UPN was the principal name.
Over the years with Window 7 this is not a requirement, and third party CAs can be used
and one certificate can be used at multiple domains.
The main point is given a certificate what domain account does this map to? In W7
a user can specify the account during login, or let AD figure it out from mapping the
certificate to an account.
Google for: site:microsoft.com PIV smartcard login
> On Fri, Jan 7, 2011 at 9:17 PM, Douglas E. Engert <deengert at anl.gov <mailto:deengert at anl.gov>> wrote:
> On 1/6/2011 11:22 PM, krbmit siso wrote:
> > Hi All,
> > Please provide some information on the working of cross realm .
> > Any links of pdf on the same is appropriated
> Google for these:
> kerberos cross-realm authentication
> AD cross-realm authentication
> site:microsoft.com <http://microsoft.com> cross-realm
> > Thanks and Regards
> > Naveen
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> Douglas E. Engert <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos