cross realm authentication problem steve at
Wed Apr 8 17:27:53 EDT 2009

Ok I am having a problem getting a service ticket from a different realm than my principal use is on.


Here is my setup:


Using KDC on AD for both realms.  Each domain has a short-cut trust between each other.  Let's call them X & Y.


When I get service ticket for the same realm it works fine:  [mailto:service/host at X] service/host at X.


For cross realms I am seeing strange behavior at network level.


User from realm X asks for service ticket from realm Y:  [mailto:service/host at Y] service/host at Y.


First I get back the cross realm TGT as in [mailto:tgt/Y at X] tgt/Y at X.  Everything I have seen this is correct behavior.


When I see the TGS-REQ with that TGT I get the following error:




There is very little information related to this error but what I did find tells me that is will occur when the TGT is for the wrong realm that you are asking for a ticket from.


One thing I thought might wrong is that the TGT is from the X realm but it is for the Y realm but all conversations said this is correct behavior and that I should be able to use that krbtgt to get services from realm Y.


I have tried kfw versions 3.2.2 and version 2.6.5 and the behavior is the same.


I am quite confused.



More information about the krbdev mailing list