Hello Markus, Thank you for this advice. I shall try out your suggestion.
When I run kinit -V us_domain_...@eu.company.net I get the message: kinit(v5): Client not found in Kerberos database while getting initial credentials while kinit -V eu_domain_...@eu.company.net prompts for password. I understood that there were trusts between the domains, but this looks like there isn't. Regards, Kevan Earl -------------------------------------------------------------------------- AstraZeneca UK Limited is a company incorporated in England and Wales with registered number: 03674842 and a registered office at 15 Stanhope Gate, London W1K 1LN. Confidentiality Notice: This message is private and may contain confidential, proprietary and legally privileged information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorised use or disclosure of the contents of this message is not permitted and may be unlawful. Disclaimer: Email messages may be subject to delays, interception, non-delivery and unauthorised alterations. Therefore, information expressed in this message is not given or endorsed by AstraZeneca UK Limited unless otherwise notified by an authorised representative independent of this message. No contractual relationship is created by this message by any person unless specifically indicated by agreement in writing other than email. Monitoring: AstraZeneca UK Limited may monitor email traffic data and content for the purposes of the prevention and detection of crime, ensuring the security of our computer systems and checking Compliance with our Code of Conduct and Policies. -----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu]on Behalf Of Markus Moeller Sent: 25 March 2009 00:04 To: kerberos@mit.edu Subject: Re: Kerberos authetication against multiple Windows Domains "Earl, Kevan C" <kevan.e...@astrazeneca.com> wrote in message news:3154febcfb92804da39a2560e17183760341f...@ukaprdembx02.rd.astrazeneca.net... > Hello, > > I'm after some advice on how to configure Kerberos v5 to authenticate > users from different Windows domains to the same Apache hosted > application. Is this possible? If so, is there a simple guide on what > needs to be done in order to achieve it that can be shared with me? > > I have Kerberos v5 installed with a Kerberos-capable version of Apache on > AIX 5.3. > I have had a keytab file generated in the Windows "EU" domain, and have > configured the server so the application authenticates users from the "EU" > domain. > > /etc/krb5.conf is similar to: > > [libdefaults] > default_realm = EU.COMPANY.NET > > [realms] > EU.COMPANY.NET = { > kdc = eudc01.eu.company.net > admin_server = eudc01.eu.company.net > default_domain = eu.company.net > } > > [domain_realm] > .svr_domain.company.net = EU.COMPANY.NET > svr_domain.company.net = EU.COMPANY.NET > > What do I need to do in order to also authenticate users from the > companies "US" domain, which is controlled by separate domain > controller(s), to the application? > If the domains have a trust you son't need to do anything. If they don't have trust then you need to create a second keytab entry for the host in the US DC with a sceond DNS name. e.g. In the EU domain the server is server.eu.company.net with a key HTTP/server.eu.company....@eu.company.net in eudc01 and in the US domain the sever is server.us.company.net with a key HTTP/server.us.company....@us.company.net in usdc01. Merge both keys in one keytab for apache and configure the apache kerbereos module to accept all names (I think it is KrbServiceName Any in mod-auth-kerb) > Any help anyone can give me would be very greatfully received. > > Regards, > Kevan Earl > Regards Markus > > -------------------------------------------------------------------------- > AstraZeneca UK Limited is a company incorporated in England and Wales with > registered number: 03674842 and a registered office at 15 Stanhope Gate, > London W1K 1LN. > Confidentiality Notice: This message is private and may contain > confidential, proprietary and legally privileged information. If you have > received this message in error, please notify us and remove it from your > system and note that you must not copy, distribute or take any action in > reliance on it. Any unauthorised use or disclosure of the contents of this > message is not permitted and may be unlawful. > Disclaimer: Email messages may be subject to delays, interception, > non-delivery and unauthorised alterations. Therefore, information > expressed in this message is not given or endorsed by AstraZeneca UK > Limited unless otherwise notified by an authorised representative > independent of this message. No contractual relationship is created by > this message by any person unless specifically indicated by agreement in > writing other than email. > Monitoring: AstraZeneca UK Limited may monitor email traffic data and > content for the purposes of the prevention and detection of crime, > ensuring the security of our computer systems and checking Compliance with > our Code of Conduct and Policies. > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos