> On 03/15/2017 11:39 AM, Osipov, Michael wrote:
> > So there is basically no way to tell MIT Kerberos if you home realm is
> > unable to route the request, it should try other realms, correct?
>
> No; we have a fallback realm mechanism in the TGS client code, but it
> only tries one realm (determ
> On Mar 15, 2017, at 10:56 AM, Osipov, Michael
> wrote:
> >
> > Both aren't an option:
> >
> > 1. TXT records are unknown to Windows are all host to realm maping is
> > performed by the domain controller by querying the global catalog
>
> But you could still add TXT records to your domain contro
On 03/15/2017 11:39 AM, Osipov, Michael wrote:
> So there is basically no way to tell MIT Kerberos if you home realm is
> unable to route the request, it should try other realms, correct?
No; we have a fallback realm mechanism in the TGS client code, but it
only tries one realm (determined by TXT
On Mar 15, 2017, at 10:56 AM, Osipov, Michael
wrote:
>
> Both aren't an option:
>
> 1. TXT records are unknown to Windows are all host to realm maping is
> performed by the domain controller by querying the global catalog
But you could still add TXT records to your domain controllers (assuming
> On 03/15/2017 10:56 AM, Osipov, Michael wrote:
> >> * The host-based service referrals mechanism also seems promising, and
> >> you're certainly running a new enough version of Kerberos to
> accommodate
> >> it. I have not personally used it (yet), but it maintains security
> >> whereas the DNS
On 03/15/2017 10:56 AM, Osipov, Michael wrote:
>> * The host-based service referrals mechanism also seems promising, and
>> you're certainly running a new enough version of Kerberos to accommodate
>> it. I have not personally used it (yet), but it maintains security
>> whereas the DNS lookup mecha
> On Mar 15, 2017, at 8:15 AM, Osipov, Michael
> wrote:
> >
> > Hi folks,
> >
> > we are experiencing a problem with an insufficient Kerberos setup on
> Active Directory
> > side which can be solved on Windows-side with Kerberos Forest Search
> Order [1].
> > What Windows basically does is to trav
On Mar 15, 2017, at 8:15 AM, Osipov, Michael wrote:
>
> Hi folks,
>
> we are experiencing a problem with an insufficient Kerberos setup on Active
> Directory
> side which can be solved on Windows-side with Kerberos Forest Search Order
> [1].
> What Windows basically does is to traverse a list