Simo Sorce <[email protected]> writes: > "Wilper, Ross A" <[email protected]> wrote:
>> That is true.. I oversimplified a bit. This would allow you to have a >> KDC with equivalent principals. You would need a trust relationship and >> the external principal names set on the AD users as alternate security >> identities for the synchronized principals to work for Windows logon, >> etc. I had simply assumed this scenario. > Not sufficient, you need to provide a PAC for Windows Logons to work > using principals from the MIT Realm. Given that we do this routinely at Stanford using cross-realm trust exactly as Ross describes, I think you've misunderstood something. I believe AD adds the PAC for you when you do what Ross says and configure the external principal names as alternate security identities. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
