Hello,
I have a question about the cross-realm authentication (Kerberos Realm & Win2K)
My scenario is as follows:
a user using a Win2K professional machine authenticates to a Kerberos Realm. This user
then wants to access resources in a Win2K domain. I believe that this is possible by
configuring trust-relationship between the Kerberos Realm and Win2K domain which I
have done following the guidance in Step by step Guide to Kerberos 5 Interoperability
article.
.
However, when the user sends a TGS-REQ to the KDC in the Kerberos Realm for service
located in Win2K domain, the Kerberos Realm returns KDC_ERR_S _PRINCIPAL_UNKNOWN.
After sniffing the packet using ethereal, I noticed that the client sent a TGS_REQ
with the canonicalize bit not set. Based on my understanding from the 'Generating KDC
Referrals to locate Kerberos realms' draft, the client should send a TGS_REQ with
canonicalize bit set so that the KDC can returns a TGS_REP containing
PA-SERVER-REFERRAL-INFO.
Does anybody have any idea how to solve this problem ?
Is there any other configuration (besides the following) that I should do in the
client machine or in the KDC so that the windows client that authenticates to Kerberos
realm can access win2k resources in other domain:
In KDC Kerberos Realm:
- ank -pw password krbtgt/[EMAIL PROTECTED]
- ank -pw password krbtgt/[EMAIL PROTECTED]
In Win2K domain:
- Add inter-realm keys in the Active Directory Domains and Trusts (Trusts tab)
- Create account mappings using the AltSecurityId property
Thanks,
Lara
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de
Maupassant -
------------------------------------------------------------------------------------
---------------------------------
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
