Cross-realm between Windows Server 2008 R2

jm130794 jm130794 at gmail.com
Wed Jun 15 11:41:41 EDT 2011


Hi alls,

Yesterday, I forget to Reply All :(

As I said to Simo :

I realized my mistake. I tried to login as a normal user. It is prohibited
by default on Windows Server 2008.

For testing, I mapped on user1 at TEST.FR administrator at AD.TEST.FR. It works.

Now, I'll try to add a workstation Windows Seven to my domain...

Thanks


2011/6/15 Douglas E. Engert <deengert at anl.gov>

>
>
> On 6/14/2011 4:11 AM, jm130794 wrote:
> > Hello,
> >
> > I have a little question : is it possible create a cross-realm between AD
> > (Windows Server 2008 R2) and MIT Kerberos ?
> >
> > I tried but...
>
> Are you able to go the other way, with a Windows user accessing a server
> in the Kerberos realm?
>
> You did not say how you set up cross realm.
>
> >
> > When I try to connect on Windows Server with my Kerberos MIT user, I get
> > these errors in krb5kdc.log :
> >
> > Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1
> 24
> > -135}) 192.168.2.2: NEEDED_PREAUTH: user1 at TEST.FR for krbtgt/TEST.FR@
> TEST.FR,
> > Additional pre-authentication required
> > Jun 14 09:22:29 srv1 krb5kdc[979](info): AS_REQ (7 etypes {18 17 23 3 1
> 24
> > -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18
> > ses=18}, user1 at TEST.FR for krbtgt/TEST.FR at TEST.FR
> > Jun 14 09:22:29 srv1 krb5kdc[979](info): TGS_REQ (7 etypes {18 17 23 3 1
> 24
> > -135}) 192.168.2.2: ISSUE: authtime 1308036149, etypes {rep=18 tkt=18
> > ses=18}, user1 at TEST.FR for krbtgt/AD.TEST.FR at TEST.FR
>
> This last one looks correct, but it is using an AES-256 key. If your W2008
> r2
> is still running at 2003 level, the AD may be expecting arcfour keys.
>
> A Wireshark trace of the KRB5 packets would show a lot more info,
> such as what did the client do with this cross realm TGT?
> Did it try and use it to get a service ticket from AD?
> And what did AD do with it?
>
> For windows services, AD will want to add a PAC to the ticket,
> with UUID and GUID info for the user. So the KRB5 users will need
> accounts in AD to use AD services.
>
>
> >
> > Any ideas ?
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list