You mention allowing the DES enctypes on the Windows 7 box? Is that the only common enctype available between the MIT realm and Windows? (AES256, AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC)
If so, you will need to have DES enabled on the domain controller also. This is most easily done (for all machines) using a group policy "Network Security: Configure Encryption types allowed for Kerberos" Outbound trust should be the correct direction It appears that you have altSecurityIdentities set on the domain user account Check the time on the DCs too. -Ross -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of c f Sent: Tuesday, August 24, 2010 3:06 AM To: [email protected] Subject: problem with the cross-realm, any help? Hello, I need some help with the cross-realm. I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and a Windows 7 (in the windows domain) as a client for test. What I want to do is: to log onto Windows 7 with the MIT kerberos accouts. I've created and configured: -- on MIT kdc, adding the "krbtgt/[email protected]", and "krbtgt/[email protected]" principles; -- on Windows2008, creating the trust relationship with the MIT kdc (Direct Outbound) -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm ......" to add the mit kerberos realm; -- on Windows 7, enabling the DES encryption, but not on the 2008 server, as I could not find a way to do that; -- on Windows server 2008, create the same users as in MIT kdc, and mapping them to Mit kerberos principles; The problem is, I cannot log onto Windows 7 by using the Mit kerberos's username and password. I've got these 2 types of error messages : sometimes "user name and password is incorrect", and sometimes"the trust relationship between this workstation and the primary domain failed". On Mit kdc's log file, there is the message "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) ...: ISSUE: authtime 1282578442, etypes {rep=23 tkt=16 ses=23}, [email protected] krbtgt/ [email protected]". And in Active Directory, I see nothing wrong, neither the Windows 7. However, if I don't add my windows 7 into Active Directory, but the Mit Kerberos Domain, everything works. I can authenticate the standalone workstaion (Windows 7) against Mit Kerberos without problem (by activing the guest account on Windows 7, and maypping * to the guest account ). I've been blocked for weeks on this. Does anyone have any ideas to help me? Thank you! Claudia ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
