Douglas E. Engert <[EMAIL PROTECTED]> wrote: > Markus Moeller wrote: >>> TGS-REP error_code: KRB5KDC_ERR_PATH_NOT_ACCEPTED (28) > > This looks like AD is checking the transited path, and does not like > it. RFC4120 section 2.7 does not require the KDC to check the > transited field, and the client may even ash the KDC to not check it, > with the DISABLE-TRANSITED-CHECK flag, but the KDC may still check. > > AD does a lot more with trust the the MIT KDCs and may treat forests > and external realms differently. In your diagram, you are trying to > context TEST.COM not at the forest root. In most of the Microsoft > documents they talk about connecting forests at the root. > > They talk about the different types of trust. I don't see > "External Transitive" which is what I think you are trying to do. > Although Realm Trust looks very close, but TGEST.COM is AD, not > Kerberos. > > Can you connect TEST.COM to TOP.COM? This woulf be forest trust. > Or can rename you TEST.COM to TEST.DOM1.TOP.COM and have it join the > forest? Then AD should not have any problems,and you would not need > the capaths, as the default ist to go up the tree then back down.
The AD domain to non-AD domain trust likely needs to be changed to a "transitive" trust using the netdom.exe tool. for example: netdom trust <AD domain> /ForestTRANsitive /domain <non-AD domain> <<CDC ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos