Wouter Verhelst <[EMAIL PROTECTED]> writes: > Now when I try to do cross-realm authentication from a Windows host, it > does not seem to work. The steps I've taken include: > > - set up cross-realm authentication: I have a one-way "incoming" trust > relationship in Windows, and created a > "krbtgt/[EMAIL PROTECTED]" principal in kadmin, with the same > password (a 40-character random string that was copy-pasted in both > cases). The trust is a "realm" trust, not a "domain trust", to account > for the differences between Windows "Kerberos" and the actual > protocol.
For what it's worth, Windows Kerberos is the actual protocol. Except for some issues around PKINIT, which aren't really Microsoft's fault, and the bugs that any implementation will have, Windows Kerberos follows the protocol just like everyone else. The PAC is allowed for in the protocol. Microsoft does deserve negative press for some things around how they handled the PAC situation, but protocol compliance isn't one of them. Microsoft Windows KDCs interoperate quite well with the rest of the world. > What's peculiar is that in the final two steps, the windows system > doesn't even seem to request cross-realm kerberos tickets; it doesn't > get a TGT, nor does it try to contact the MIT kerberos server. I think you have a one-way trust going the wrong way for what you're trying to do. You need an outgoing trust from Windows to MIT for the Windows client to get cross-realm tickets with MIT. Why not just set up full bidirectional trust? That's what we do and I can confirm that once that trust is set up, what you're trying to do works just fine; we do exactly the same thing for our central web authentication system. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
