links for Cross realm

Douglas E. Engert deengert at anl.gov
Mon Jan 17 11:04:14 EST 2011



On 1/17/2011 2:54 AM, krbmit siso wrote:
> Hi Douglas
>
> Thank you for the link .
>   I have followed the same for cross realm authentication between two realms.
> Please find the attached captures .
> please guide let me know if there is any mistake in the requests send from client.
>
> Regards
> Naveen
>

Record 6 and 7 shows a clock skew, but this is minor, as the client
reissued the request at 19 with response at 24.

The 19 record shows you are using PKINIT with you smart card, a CAC card I assume.

The client machine must be is in realm DPDNETWORKING.COM, as the initial request
19 were sent to client machine's DC.)

No cross realm is actually being done! The DPDNETWORKING.COM responded with a TGT in
record 24.
The client is cac_user_1 at CAC2K8DOMAIN.COM
The Server is krbtgt/DPDNETWIRKING.COM


In records 36 and 46, the client machine tries to get tickets for
cifs/win2003dpdnic.dpdnetworking.com and smtpsvc/win2003dpdnic.dpdnetworking.com
using the TGT from 24, with client cac_user_1 at CAC2K8DOMAIN.COM

And it looks like the user account cac_user_1 is not found in the AD.

So I think the problems are related to the way you have registered or not registered
the smartcard in AD and how AD can derive the domain account to use from
a certificate.

In Windows 2000, the certificate had to be issued with a subjectAltName OtherName
msUPN where the UPN was the principal name.

Over the years with Window 7 this is not a requirement, and third party CAs can be used
and one certificate can be used at multiple domains.

The main point is given a certificate what domain account does this map to? In W7
a user can specify the account during login, or let AD figure it out from mapping the
certificate to an account.


Google for: site:microsoft.com  PIV smartcard login




> On Fri, Jan 7, 2011 at 9:17 PM, Douglas E. Engert <deengert at anl.gov <mailto:deengert at anl.gov>> wrote:
>
>
>
>     On 1/6/2011 11:22 PM, krbmit siso wrote:
>      > Hi All,
>      >
>      > Please provide some information on the working of cross realm .
>      > Any links of pdf on the same is appropriated
>
>     Google for these:
>       kerberos cross-realm authentication
>
>       AD cross-realm authentication
>
>     site:microsoft.com <http://microsoft.com> cross-realm
>
>      >
>      >
>      > Thanks and Regards
>      > Naveen
>      > ________________________________________________
>      > Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>      > https://mailman.mit.edu/mailman/listinfo/kerberos
>      >
>      >
>
>     --
>
>       Douglas E. Engert <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
>       Argonne National Laboratory
>       9700 South Cass Avenue
>       Argonne, Illinois  60439
>       (630) 252-5444
>     ________________________________________________
>     Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>     https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list