Cross-realm between Windows Server 2008 R2

Douglas E. Engert deengert at anl.gov
Wed Jun 15 10:01:47 EDT 2011



On 6/14/2011 4:11 AM, jm130794 wrote:
> Hello,
>
> I have a little question : is it possible create a cross-realm between AD
> (Windows Server 2008 R2) and MIT Kerberos ?
>
> I tried but...

Are you able to go the other way, with a Windows user accessing a server
in the Kerberos realm?

You did not say how you set up cross realm.

>
> When I try to connect on Windows Server with my Kerberos MIT user, I get
> these errors in krb5kdc.log :
>
> Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1 24
> -135}) 192.168.2.2: NEEDED_PREAUTH: user1 at TEST.FR for krbtgt/TEST.FR at TEST.FR,
> Additional pre-authentication required
> Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1 24
> -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18
> ses=18}, user1 at TEST.FR for krbtgt/TEST.FR at TEST.FR
> Jun 14 09:22:29 srv1 krb5kdc[979](info): TGS_REQ (7 etypes {18 17 23 3 1 24
> -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18
> ses=18}, user1 at TEST.FR for krbtgt/AD.TEST.FR at TEST.FR

This last one looks correct, but it is using an AES-256 key. If your W2008 r2
is still running at 2003 level, the AD may be expecting arcfour keys.

A Wireshark trace of the KRB5 packets would show a lot more info,
such as what did the client do with this cross realm TGT?
Did it try and use it to get a service ticket from AD?
And what did AD do with it?

For windows services, AD will want to add a PAC to the ticket,
with UUID and GUID info for the user. So the KRB5 users will need
accounts in AD to use AD services.


>
> Any ideas ?
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list