On 9/17/19 10:22 PM, Vipin Rathor wrote: > I am trying to develop an application which can talk to a kerberized > service running in a remote realm. I am aware that this would ideally > require having trust (one way or two way) between my current realm and > remote realm. Additionally, we want to avoid having trust as a requirement > (the folks maintaining remote realm are quite 'possessive' about their > realm).
Active Directory uses the term "trust" to describe cross-realm relationships, but there is no requirement for trust between Kerberos 5 realms which share cross-realm keys. Application servers do need to be careful to grant an appropriate level of privilege (which might mean no access at all) to clients in foreign realms. (I can't tell from the question whether this is a primarily Microsoft environment or whether the environment uses Heimdal or MIT krb5.) > What if my application can get two TGTs from both the realms and instead of > getting a cross-realm TGS, it can use the respective TGTs to talk to > respective realms? Yes, an application can have two credential caches containing credentials for different client principals. These caches can be managed individually, or as part of a cache collection: http://web.mit.edu/kerberos/krb5-latest/doc/basic/ccache_def.html#collections-of-caches ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos