Hallo everyone Douglas E.Engert wrote:
> That is not the way it works. The user would login with user at KERB.UTA.EDU > and get a ticket, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU. This is done from the > Kerberos realm. Then when the user needed to access a Windows resource, such > as the local workstation during login, A cross realm ticket would be obtained, > bu the client gto the Kerberos realm, krbtgt/UTA.EDU at KERB.UTA.EDU. > This would be used to get the ticket for the server, host/workstation at UTA.EDU > from the AD realm. If the account mappings where setup in AD as per > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep s.asp > "Creating Account Mappings" this last service ticket woul have the Microsoft > PAC data in it. > With cross realm the two AD/KDC never comunicate directly. The client > gets cross realms tickets from one to use with the other. > We do just the opposite. We have our user's registered in Windows AD, > and they authenticate to Windows then get cross realm for Unix services > that are registered in the MIT realm. Hallo This is mainly a question for Mr. Douglas E.Engert but if anyone else can help please feel free to do so. We have a similar organisation as the "opposite" and I can't figure out how to accomplish the following: We will users in the AD 2003 domain authenticate to Windows and then get a cross real ticket for services in the MIT realm. We manage to achieve that User with a mapped Principal can login on a client in the AD with the MIT Realm Principal and Password. He gets a tgt for the MIT realm and one for the AD 2003 Domain. But if the same user login on a client in the AD with the Principal and Password from the AD Domain he only gets a tgt for the AD domain. If he tries to use a service in the MIT realm he gets a Error from the AD 2003 Domain Controller "KDC_S_Principal_unknown". The Problem is that the User don't get a cross real ticket from the MIT Realm if he log in a [EMAIL PROTECTED] Domain. It would be great if anyone can give me a hint what to do next. Thanks Schikora ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
