Cross-realm trusts w/ MS Windows 2003

Douglas E. Engert deengert at
Mon Aug 18 12:03:06 EDT 2003

You might also want to try the trace program
for Windows on the client as it can also parse the KRB5 messages.
This might show the traffic. 

Joseph Galbraith wrote:
> We develop the SecureCRT and VShell SSH client and
> server packages.  We've now added support for GSSAPI
> key exchange and authentication using kerberos to these
> packages.
> However, when I tried to test our support
> using a cross realm trust relationship between a
> MIT kerberos REALM & a Microsoft Kerberos domain,
> I started running into trouble.

Which realm is the user in and which realm is the server it?

> One of the problems is that I'm getting a "Insufficient
> memory error" from the MS api (I've got an incident open
> with them about this, since the error is bogus.)  However,
> I'm trying to track down the underlying cause of the problem.
> I think the KDC for the MIT kerberos reals is using the MIT
> kerberos build that shipped w/ redhat 7.  RPM says it is
> 1.2.4-1.  (How best to tell what version is in use?)  It
> contains
> I'm using Windows Server 2003 on the MS side.

There might a problem with the size of the tickets, as
the PAC can add an extra 1000 bytes. I understand that 2003 tries to 
switch from UDP to TCP with a smaller ticket size then W2K did.

here might also be a problem determining the realm of the server,
as the MS code might be doing referrals, wihch the MIT code may
not suport.    

> I'm getting the following in my log file:
> Aug 18 08:50:58 krb5kdc[863](info): TGS_REQ
>    (7 etypes {23 -133 -128 3 1 24 -135})
>    PROCESS_TGS: authtime 0,  <unknown client> for
>    host/ at, Key table entry not found
> In the log file, the SPN realm name, VANDYKE.COM, has been converted
> to lower case.  It seems to me this might be the problem, but I'm
> not sure.  What do you think?
> Is there any chance that the data coming into the MIT
> kdc is correct, but the case is being changed as it
> is written to the log file?
> My current suspicion is that MS is somehow changing it between
> my calling InitializeSecurityContext() and it getting on the
> wire.
> Microsoft developer support is analyzing a tcp capture and
> log files, so hopefully they will tell me more soon.
> If I were going to attach a debugger to the kerberos kdc daemon
> and watch the data come through, where would be the best place
> to set a break point?
> Thanks,
> Joseph
> _______________________________________________
> krbdev mailing list             krbdev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list