On Mon, 21 Aug 2006 18:40:28 +0200 "Florian Frankenberger" <[EMAIL PROTECTED]> wrote:
> My problem is that Alice is not in the domain in which the KDC is running. To > be more precise, the KDC and the service Alice are set up in different > network environments and thus do not know each other. > Is it possible to create a kerberized service that is not part of the > Kerberos realm? If yes, what do I have to do? Alice and Bob have to be in the same realm or in separate realms that have a trust established between them. Otherwise the is no basis for establishing trust between Alice and Bob. Kerberos is a "thrid party authentication system" so there needs to be someone both principals trust. > I thought of sharing the symmetric service key between the KDC and Alice. To > do so, I tried to create the service Alice with ktpass, give the so created > encryption key to Alice and let Alice decrypt the service tickets, that will > be delivered by Bobs later. > > Is this procedure possibly in theory? Does anyone know how to obtain the > service ticket by using JAAS? I only managed to get the TGT. If Bob requests a ticket for ALICESVC/[EMAIL PROTECTED] then even if Bob is [EMAIL PROTECTED] he should have no problem looking up the KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust relationship would be required between AI-AG.DE and AI-AG.US. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
