The easiest way to do it on the Windows side is through the active directory domains and trusts. There is an excellent white paper put out by Microsoft that details the process for Windows 2000 but still applies to 2003. We just set this up for a one way trust, works flawlessly.
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp Walter Weiss -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy J. Casper Sent: Monday, March 14, 2005 5:27 PM To: [email protected] Subject: Cross-realm Authentication with Windows Server 2003 We are trying to setup a kerberos pass-thru authenticated logon in a windows 2003 server forest. We have tried the following steps to get the pass-thru to work, but are currently getting an error message when we try to login. We have done the following steps on both the AD controller and the Kerberos server. Active Directory Domain is AD.SCHOOL.EDU Kerberos realm is SCHOOL.EDU Kerberos server Active Directory Server 1. ran the following command "ksetup /addkdc SCHOOL.EDU kerberos.SCHOOL.EDU" 2. ran the command "netdom TRUST AD.SCHOOL.EDU /Domain:SCHOOL.EDU /Add /Realm /PasswordT:"Someolpswd" 3. ran the command "netdom TRUST AD.SCHOOL.EDU /Domain:SCHOOL.EDU /Transitive:yes" 4. Restarted the AD server Kerberos Server 1. ran the command kadmin: addprinc -e des-cbc-crc:normal krbtgt/ad.school.edu 2. entered in "Someolpswd" when prompted for the password 3. added to the hosts file "<ip address> ad.school.edu ad" 4. added to the krb5.conf file: [realms] AD.SCHOOL.EDU = { kdc = dc.ad.school.edu admin_server = dc.ad.school.edu } [domain_realm] .ad.school.edu = AD.SCHOOL.EDU When looking at the logs, we get the following information: Mar 14 16:10:19 kerberos.school.edu krb5kdc[15690](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 128.128.128.128(88): ISSUE: authtime 1110838219, etypes {rep=3 tkt=16 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] Mar 14 16:10:19 kerberos.school.edu krb5kdc[15690](info): TGS_REQ (5 etypes {23 3 1 24 -135}) 128.128.128.128(88): UNKNOWN_SERVER: authtime 1110838219, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database Any ideas on why we are getting the error "Server not found in Kerberos database"? Thanks, -Jeremy J. Casper [EMAIL PROTECTED] Office of Information Technology University of Minnesota ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
smime.p7s
Description: S/MIME cryptographic signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
