Cross-realm trusts w/ MS Windows 2003

Wachdorf, Daniel R drwachd at
Mon Aug 18 13:22:58 EDT 2003


We have done extensive testing of Vandyke Secure CRT (the beta version that
supports SSPI) and Windows SSPI (MS GSSAPI) in a cross realm environment to
both other windows realms and Kerberos realms.
I initially had the problem that a windows clients using SSPI would not do
GSSAPI authentication to a host in a trusted foreign Kerberos realm.  After
a lot work talking to Microsoft tech support and even some of the MS
developers, it turns out that Microsoft does not really support using SSPI
to do GSSAPI authentication to a foreign (Non-MS) MIT realm. (Despite all
the documentation that claims it can. ie
p) It can if you make the request in the form of host at REALM it works.
However, if you use Secure CRT and try to ssh to hostname, windows has no
way of figuring out what realm that host is in.  You can verify this by
using the gssapi test client that windows released with the one on the mit
Kerberos distribution (you need the old version 1.1.1).  It works fine if
you specify host at REALM, but if you just specify host, it fails.
The problem lies in the fact the MS clients are not aware of different
realms. They require referrals given out by the kdc.  The MS kdc uses the
global catalog to determine which realm a given fully qualified hostname is
in.  The problem is that an MIT (non-MS) realm is not in the global catalog.
And from what Microsoft has told us, there is no way to add it.  There is a
registry setting in win 2003 that will enable its SSPI API(client side) to
be aware of non-MS realms.  This doesn't help us much because most of our
desktops are not 2003.  We have asked them to back-port this to XP and 2k,
obviously where most of the SSPI client code is needed.
Hope this can be some help. 


-----Original Message-----
From: Joseph Galbraith [mailto:galb at] 
Sent: Monday, August 18, 2003 10:49 AM
To: Douglas E. Engert
Cc: krbdev at
Subject: Re: Cross-realm trusts w/ MS Windows 2003

>>Aug 18 08:50:58 krb5kdc[863](info): TGS_REQ
>>   (7 etypes {23 -133 -128 3 1 24 -135})
>>   PROCESS_TGS: authtime 0,  <unknown client> for
>>   host/ at, Key table entry not found
>>In the log file, the SPN realm name, VANDYKE.COM, has been converted
>>to lower case.  It seems to me this might be the problem, but I'm
>>not sure.  What do you think?

The ethereal trace is also showing the realm name
in lower case.  Realm names are case sensitive,
aren't they? != VANDYKE.COM ??



krbdev mailing list             krbdev at

More information about the krbdev mailing list