Hi, i am having a hard time trying to get a Cross-Realm-Auth between two Active-Directories working and using that on another Linux-based Webserver via mod_auth_kerb.
I only have direct access to the Webserver, so i am not 100% sure everything is setup correctly on the two ADs. AFAIK there is a one-way non transitive trust between the two ADs and according to the AD-Admins that should be enough to get Kerberos-Tickets for the other Domain. Is that right? I configured mod_auth_kerb like i did for a single-Domain-AD, just configured all the needed KrbAuthRealms in the config-file. In my mind that is all i need, as the request gets picked up by my KDC and then gets forwarded to the corresponding KDC in the other realm which responds to the ticket-request. For now the Kerberos-Auth for my main Domain, where my KDC sits, is working without any problem. When connecting from a client in the "opposite" domain i only have a /user/password mismatch" in my logfile. I know thats very vague and hard to debug, as i only have control over one piece of the puzzle. Sorry for that ;-) Any hints or pointer where to look? Or maybe a best-practise-config, perhaps somebody did exactly that before. I only have experience with single-Domain ADs, so i am hoping to get some first hand expertise in here ;-) Best Regards, Tobi ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
