On 1/17/2011 2:54 AM, krbmit siso wrote: > Hi Douglas > > Thank you for the link . > I have followed the same for cross realm authentication between two realms. > Please find the attached captures . > please guide let me know if there is any mistake in the requests send from > client. > > Regards > Naveen >
Record 6 and 7 shows a clock skew, but this is minor, as the client reissued the request at 19 with response at 24. The 19 record shows you are using PKINIT with you smart card, a CAC card I assume. The client machine must be is in realm DPDNETWORKING.COM, as the initial request 19 were sent to client machine's DC.) No cross realm is actually being done! The DPDNETWORKING.COM responded with a TGT in record 24. The client is cac_use...@cac2k8domain.com The Server is krbtgt/DPDNETWIRKING.COM In records 36 and 46, the client machine tries to get tickets for cifs/win2003dpdnic.dpdnetworking.com and smtpsvc/win2003dpdnic.dpdnetworking.com using the TGT from 24, with client cac_use...@cac2k8domain.com And it looks like the user account cac_user_1 is not found in the AD. So I think the problems are related to the way you have registered or not registered the smartcard in AD and how AD can derive the domain account to use from a certificate. In Windows 2000, the certificate had to be issued with a subjectAltName OtherName msUPN where the UPN was the principal name. Over the years with Window 7 this is not a requirement, and third party CAs can be used and one certificate can be used at multiple domains. The main point is given a certificate what domain account does this map to? In W7 a user can specify the account during login, or let AD figure it out from mapping the certificate to an account. Google for: site:microsoft.com PIV smartcard login > On Fri, Jan 7, 2011 at 9:17 PM, Douglas E. Engert <deeng...@anl.gov > <mailto:deeng...@anl.gov>> wrote: > > > > On 1/6/2011 11:22 PM, krbmit siso wrote: > > Hi All, > > > > Please provide some information on the working of cross realm . > > Any links of pdf on the same is appropriated > > Google for these: > kerberos cross-realm authentication > > AD cross-realm authentication > > site:microsoft.com <http://microsoft.com> cross-realm > > > > > > > Thanks and Regards > > Naveen > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu> > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > > Douglas E. Engert <deeng...@anl.gov <mailto:deeng...@anl.gov>> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu> > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos