Cross realm problem

Robert Wehn robert.wehn at rz.uni-augsburg.de
Wed Jun 6 16:04:41 EDT 2012


On Mon, 4 Jun 2012 15:28:46 +0000, "Wilper, Ross A" <rwilper at stanford.edu>
wrote:
> The user will have to connect to their home directory using a credential
> from Active Directory (using NTLM auth).
> 
> Windows computers will not use Kerberos unless they are:
> 	Professional, Enterprise, or Ultimate edition
With Win XP this was no Problem, but in Win7 the Home Editions don't have
the "Joint to a Domain" function (Vista? no Idea)
> 	Joined to a domain (Or "joined" to an MIT/heimdahl realm)

In Principle it Works, but it's very complicated, as the Client hast to
manage all the Cross Realm thing:
- Have both Realms in Registry (with the KDCs, or DNS Lookup)
- Do the host-to-realm mapping
Both things may be done with the ksetup command, but every client needs
it configured locally, as there's no help from AD/GPO/whatever to do that
on a single client.

Then you can use
net use \\server-fqdn\share /USER:username at MITRELM.MYDOMAIN (or use
explorer)
and the host to realm has to lead the client aplication to
1. Get a TGT for username from MITRELM.MYDOMAIN kdc
2. Get a Cross-Realm-Ticket for ADRELM.MYDOMAIN from MITRELM.MYDOMAIN kdc
3. Get a server-fqdn at ADRELM.MYDOMAIN ticket from ADRELM.MYDOMAIN kdc (AD
Controller)
4. Start the SMB Session

2nd Problem:
All the Clients Apps have to do this alone:
We actially failed in trying to do this with Outlook and Exchange.
The Exchange Server can do this, so Web access works with
username at MITRELM.MYDOMAIN
The Outlook Client is not able to manage this, even on an AD Joined
Machine

>> home directory. My problem is he cannot be authenticated with his MIT
>> account. His computer is not member the AD (I don't have access to it).
Jou would have to open the Kerberos Ports for all KDCs to the outside.

For DNS Use for
REALM -> KDC and
SERVICE-fqdn -> REAM
matching all the Service records have to be readable from World

> He could use Remote Desktop Connection from home PC to work PC. And if
he
> really needs access to files from both, use the RDC to give the work PC
> access to the home PC's disks.
this is the easy way out ;-)

Robert
 
-- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028



More information about the Kerberos mailing list