Cross-realm with AD trusting Kerberos
Benjamin Kaduk
kaduk at MIT.EDU
Wed Nov 11 21:28:08 EST 2015
On Wed, 11 Nov 2015, Leonard J. Peirce wrote:
> In an attempt to stop syncing passwords between Kerberos and AD and get to
> a single password store we are currently testing cross-realm with Active
> Directory trusting Kerberos. We have the trust configured and our Windows
> admin here says that he can successfully authenticate against our KDC
> from an AD-enabled Windows host but is required to specify the @realm
> in order to authenticate since our AD domain is different from our
> Kerberos realm.
>
> Our Windows admin feels this is unworkable. I'm not really a Windows/AD
> expert but looking at the Windows ksetup command the /addhosttorealmmap
> and /addrealmflags options look promising.
>
> Has anyone had success with cross-realm and AD trusting Kerberos this
> way?
I'm not entirely sure whether this is the scenario you have in mind, but
there is a registry setting to control the default realm used at login
time:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DefaultLogonDomain
and also
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\Domain
which is used for some other thing that I don't remember offhand.
At MIT, we have an AD domain WIN.MIT.EDU for the machines to be joined to,
but users authenticate to the MIT krb5 realm ATHENA.MIT.EDU. (I was not
around at that time, but it is possible that MIT made the original request
for those settings to be added.)
-Ben Kaduk
More information about the Kerberos
mailing list