cross realm authentication problem

steve@terapak.com steve at terapak.com
Wed Apr 8 20:46:48 EDT 2009 

I just figured it out -- Thanks for the response.

 

I did not setup the realms correctly.  I did not specify a KDC for the REALM.

 

Steve

-----Original Message-----
From: "JC Ferguson" <jc at F5.com>
Sent: Wednesday, April 8, 2009 5:17pm
To: "'steve at terapak.com'" <steve at terapak.com>, "'krbdev at mit.edu'" <krbdev at mit.edu>
Subject: RE: cross realm authentication problem

Couple things:

- do you have a network trace from your client showing this flow you can share?

- does the event log on Windows tell you anything?

- is the shortcut trust bi-directional?



> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
> Of steve at terapak.com
> Sent: Wednesday, April 08, 2009 17:28
> To: krbdev at mit.edu
> Subject: cross realm authentication problem
>
>
> Ok I am having a problem getting a service ticket from a different
> realm than my principal use is on.
>
>
>
> Here is my setup:
>
>
>
> Using KDC on AD for both realms. Each domain has a short-cut trust
> between each other. Let's call them X & Y.
>
>
>
> When I get service ticket for the same realm it works fine:
> [mailto:service/host at X] service/host at X.
>
>
>
> For cross realms I am seeing strange behavior at network level.
>
>
>
> User from realm X asks for service ticket from realm Y:
> [mailto:service/host at Y] service/host at Y.
>
>
>
> First I get back the cross realm TGT as in [mailto:tgt/Y at X] tgt/Y at X.
> Everything I have seen this is correct behavior.
>
>
>
> When I see the TGS-REQ with that TGT I get the following error:
>
>
>
> KRB5 KRB Error: KDC_ERR_WRONG_REALM
>
>
>
> There is very little information related to this error but what I did
> find tells me that is will occur when the TGT is for the wrong realm
> that you are asking for a ticket from.
>
>
>
> One thing I thought might wrong is that the TGT is from the X realm but
> it is for the Y realm but all conversations said this is correct
> behavior and that I should be able to use that krbtgt to get services
> from realm Y.
>
>
>
> I have tried kfw versions 3.2.2 and version 2.6.5 and the behavior is
> the same.
>
>
>
> I am quite confused.
>
>
>
> Steve
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list