cross-realm trust MIT and Windows 2008 - Authentication issues

Thu Aug 2 13:08:45 EDT 2012

Greethings, 

	I have the following setup: 

	-A MIT-Kerberos Realm MITREALM containing user principals
(user at MITREALM [1])
-A Windows 2008 Active Directory ADS.NET which is configured on DC
adsdc01.
-A Windows 2008 Domain member admember within ADS.NET domain.
-There is a crossrealm trust between ADS.NET and MIT Realm MITREALM 
-Local Windows Account has got Kerberos mapping 

	Login using pricipal user at MITREALM [2] works on all systems of
ADS.NET Domain successfully.
But access from adsdc01 to admember or from admember to network drive
of adsdc01 (below) does not work. 

	Unexpectedly I see the following log entries on MIT Kerberos Server:
Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
{rep=18 tkt=18 ses=18}, user at MITREALM [3] for krbtgt/MITREALM at MITREALM
[4]
Jul 23 17:39:05 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057945, etypes
{rep=18 tkt=18 ses=18}, user at MITREALM [5] for krbtgt/ADS.NET at MITREALM
[6]
Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
{rep=18 tkt=18 ses=18}, user at MITREALM [7] for krbtgt/MITREALM at MITREALM
[8]
Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057960, etypes
{rep=18 tkt=18 ses=18}, user at MITREALM [9] for krbtgt/ADS.NET at MITREALM
[10]
Jul 23 17:39:20 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960, 
user at MITREALM [11] for cifs/adsdc01.ads.net at MITREALM [12], Server not
found in Kerberos database
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
100.21.20.165: ISSUE: authtime 1343057960, etypes {rep=18 tkt=18
ses=18}, user at MITREALM [13] for krbtgt/MITREALM at MITREALM [14]
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): AS_REQ (6 etypes {18 17
23 24 -135 3}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
{rep=18 tkt=18 ses=18}, user at MITREALM [15] for
krbtgt/MITREALM at MITREALM [16]
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: ISSUE: authtime 1343057961, etypes
{rep=18 tkt=18 ses=18}, user at MITREALM [17] for krbtgt/ADS.NET at MITREALM
[18]
Jul 23 17:39:21 mitkrb01 krb5kdc[20062](info): TGS_REQ (1 etypes {18})
100.21.20.165: ISSUE: authtime 1343057961, etypes {rep=18 tkt=18
ses=18}, user at MITREALM [19] for krbtgt/MITREALM at MITREALM [20]
Jul 23 17:39:29 mitkrb01 krb5kdc[20062](info): TGS_REQ (5 etypes {18
17 23 24 -135}) 100.21.20.165: UNKNOWN_SERVER: authtime 1343057960, 
user at MITREALM [21] for ldap/adsdc01.ads.net at MITREALM [22], Server not
found in Kerberos database 

	==> I seems as if the Windows system looks for the service-pricipal
on MIT system instead of Windows DC. 

	Do you understand this?
Is there any general limitation of Windows related to cross-realm
trusts and services like cifs, ldap?
Can you please help me? Maybe it is just a misconfigureation, but I
spent now several days with this issue without any progress. 

	Best regards
Chris

Links:
------
[1] mailto:user at MITREALM
[2] mailto:user at MITREALM
[3] mailto:user at MITREALM
[4] mailto:krbtgt/MITREALM at MITREALM
[5] mailto:user at MITREALM
[6] mailto:krbtgt/ADS.NET at MITREALM
[7] mailto:user at MITREALM
[8] mailto:krbtgt/MITREALM at MITREALM
[9] mailto:user at MITREALM
[10] mailto:krbtgt/ADS.NET at MITREALM
[11] mailto:user at MITREALM
[12] mailto:cifs/adsdc01.ads.net at MITREALM
[13] mailto:user at MITREALM
[14] mailto:krbtgt/MITREALM at MITREALM
[15] mailto:user at MITREALM
[16] mailto:krbtgt/MITREALM at MITREALM
[17] mailto:user at MITREALM
[18] mailto:krbtgt/ADS.NET at MITREALM
[19] mailto:user at MITREALM
[20] mailto:krbtgt/MITREALM at MITREALM
[21] mailto:user at MITREALM
[22] mailto:ldap/adsdc01.ads.net at MITREALM