Re: Cross realm auth with MS Server 2003 and MIT kerb

Mon, 25 Oct 2004 13:30:37 -0700 



BarBaar wrote:

Hello,

Today I started to sniff the network, while trying to setup aan
cross-realm kerberos-session... (realm named: test.nl and
tester.test.nl)


You have lost me here. What is the W2k3 AD domain name and what is the
MIT KDC realm name? Yesterday there where TEST.NL (AD) and TEST2.NL (MIT)
and the user is [EMAIL PROTECTED]

And the sniffer (ethereal) did not tell me very much.. But he did tell
me the WinXp client is requesting a TGS from the w2k3 AD KDC (which is
good!). And the AD KDC send a error back:
krb5kdc_err_s_principal_unknown.. (which is not good)

So (correct me if I am wrong) the AD KDC does not see that this host
is in a different realm, and therefore does not respond with the
correct ticket (which should be a krbtgt/[EMAIL PROTECTED])


In strick Kerberos terms. The first request should be for a TGT for the
user from the user's realm. It does not mater what is the realm of the
host at this point. But if you don't fully qualify the user principal,
it will default the user's realm from the realm of the host.

But yesterday you where trying to have the user in the MIT realm,
so it is not suprising that the W2K returns principal_unknown.

So try login as [EMAIL PROTECTED] giving the full principal name.
It should then try and contact the MIT KDC at TEST2.NL and get
[EMAIL PROTECTED] krbtgt/[EMAIL PROTECTED] ticket. It will then determine
that the host is from a different realm, and will then try and get from
TEST2.NL a krbtgt/[EMAIL PROTECTED]

See if you can get this far.

It will then use this TGT against AD to get a host/[EMAIL PROTECTED]
But this may get a ticket but not let you login as there is no
PAC.


Any ideas on this?
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to