Cross Realm authentication error

Dain Ridnouer Mon, 28 Oct 2002 07:21:29 -0800

I am trying to set up a cross realm environment between a Microsoft KDC and a KDC running in the Unix environment and keep getting "Authorization failed" when doing a kerberized telnet from the Microsoft side to Unix. The Unix KDC runs the CyberSafe version of kerberos version 5.

Details:
Microsoft hostname: microkerb.org
Microsoft realm: MICROKERB.ORG
Unix hostname: kerbsrvt1.test.org
Unix Realm: UKREALM

I have read the Microsoft and CyberSafe interoperability papers and set up the appropriate trusts and user mappings between the 2 realms (I think).

When I log on an XP machine in the Microsoft realm I get the following tickets:

MICROKERB.ORG
|
|-- [EMAIL PROTECTED]
|-- [EMAIL PROTECTED]
|-- host/xpbox1.microkerb.org
|-- [EMAIL PROTECTED]
|-- [EMAIL PROTECTED]
|-- [EMAIL PROTECTED]

I do the telnet and get the following messages when I turn on debugging:

-------------------------------------------------------------
Sent: WILL AUTHENTICATION
Sent: DO ENCRYPT
Sent: WILL ENCRYPT
Sent: WILL NAWS
Rcvd: DO AUTHENTICATION
Rcvd: SB AUTHENTICATION KERBEROS_V4 SERVER|MUTUAL KERBEROS_V5 SERVER|MUTUAL 0 1 2 1 0
Rcvd: WILL ENCRYPT
Rcvd: DO ENCRYPT
Sent: WILL ENCRYPT
Rcvd: SB ENCRYPT SUPPORT 1 2
Rcvd: DO NAWS
Sent: WILL NAWS
Sent: SB NAWS 0 50 0 28
Rcvd: DO TERMINAL TYPE
Sent: WILL TERMINAL TYPE
Rcvd: DO TSPEED
Sent: WONT TSPEED
Rcvd: DO XDISPLOC
Sent: WONT XDISPLOC
Rcvd: DO ENVIRON
Sent: WONT ENVIRON
Rcvd: SB TERMINAL TYPE 1
Sent: SB TERMINAL TYPE 0 56 54 31 30 30
_telnetd: Authorization failed.
Remote Host Closed
--------------------------------------------------------

In the Unix log I get:

Oct 23 14:19:10 kerbsrvt1 telnetd[11334]: connection from xpbox1.microkerb.org at ipaddr xxx.xx.xxx.xxx
Oct 23 14:19:11 kerbsrvt1 telnetd[11334]: $TELNETD-E-C00008B6, Authorization failed

After this I get the following additional tickets for the Unix realm.

UKREALM
|
|-- krbtgt/UKREALM
|-- host/kerbsrvt1.test.org

Could my mappings be wrong? It appears that I get my cross realm ticket then fail using it. Any suggestions for changes or additional debugging that I can be using?

Thank You,
Dain

_________________________________________________________________
Surf the Web without missing calls!�Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp

________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Cross Realm authentication error

Reply via email to