Advice on cross-realm PKINIT?
Greg Hudson
ghudson at MIT.EDU
Mon Jun 9 15:54:59 EDT 2014
On 06/09/2014 03:28 PM, Nordgren, Bryce L -FS wrote:
> How do I set up PKINIT so that the principal: 1] does not have to exist in the local database; and 2] can be from a non-local realm?
The Kerberos protocol does not support cross-realm AS requests. The
definition of KDC-REQ-BODY in RFC 4120 section 5.4.1 contains only one
realm (at the ASN.1 level, a PrincipalName does not include the realm)
which is used for both the client and server principal. So the requests
in the second and third example is actually for a TGT in the
EXTERNAL.ORG realm (presumably krbtgt/EXAMPLE.COM at EXTERNAL.ORG), which
cannot be served from the EXAMPLE.COM KDC.
More information about the Kerberos
mailing list