*Hi Ross,* On Tue, Aug 24, 2010 at 5:39 PM, Wilper, Ross A <[email protected]>wrote:
> You mention allowing the DES enctypes on the Windows 7 box? Is that the > only common enctype available between the MIT realm and Windows? (AES256, > AES128, RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC) > > I have all these enctypes enabled in fact. > If so, you will need to have DES enabled on the domain controller also. > This is most easily done (for all machines) using a group policy > > "Network Security: Configure Encryption types allowed for Kerberos" > *I have not found this group policy in a Windows Server 2008.* > Outbound trust should be the correct direction > It appears that you have altSecurityIdentities set on the domain user > account > Check the time on the DCs too. > *Yes I linked every AD user to a Mit Keberos principle manually, by the "name mapping" settings in AD. I think that's what you mean altSecurityIdentities.( I'm still new in this domain ) I have a ntp server, and I've checked the time on all the servers and clients. **Nothings works so far.* *With Wireshark on the windows 7 box, I've got some traffic: source: windows 7 box, destination: mit kdc, info : as-req source: mit kdc, destination: windows 7 box, info : as-rep source: windows 7 box, destination: mit kdc, info : tgs-req source: mit kdc, destination: windows 7 box, info : tgs-rep I don't see any traffice between my windows 7 box and the active directory. That seems not so normal. Thanks. Claudia * > > -Ross > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of c f > Sent: Tuesday, August 24, 2010 3:06 AM > To: [email protected] > Subject: problem with the cross-realm, any help? > > Hello, > > I need some help with the cross-realm. > > I have MIT KDC, an Active Directory on Windows Server 2008 Entreprise, and > a > Windows 7 (in the windows domain) as a client for test. > What I want to do is: to log onto Windows 7 with the MIT kerberos accouts. > > I've created and configured: > -- on MIT kdc, adding the "krbtgt/[email protected]", and > "krbtgt/[email protected]" principles; > -- on Windows2008, creating the trust relationship with the MIT kdc (Direct > Outbound) > -- on both Windows 7 and Windows server 2008, using "ksetup /addRealm > ......" to add the mit kerberos realm; > -- on Windows 7, enabling the DES encryption, but not on the 2008 server, > as > I could not find a way to do that; > -- on Windows server 2008, create the same users as in MIT kdc, and mapping > them to Mit kerberos principles; > > The problem is, I cannot log onto Windows 7 by using the Mit kerberos's > username and password. > I've got these 2 types of error messages : sometimes "user name and > password > is incorrect", and sometimes"the trust relationship between this > workstation > and the primary domain failed". > On Mit kdc's log file, there is the message > "mitkdc.mydomain.comkrb5kdc[6735](info): AS_REQ (7 etypes {18 17 23 3 > 1 24 -135}) ...: ISSUE: > authtime 1282578442, etypes {rep=23 tkt=16 ses=23}, > [email protected] krbtgt/ > [email protected]". > And in Active Directory, I see nothing wrong, neither the Windows 7. > > However, if I don't add my windows 7 into Active Directory, but the Mit > Kerberos Domain, everything works. I can authenticate the standalone > workstaion (Windows 7) against Mit Kerberos without problem (by activing > the > guest account on Windows 7, and maypping * to the guest account ). > > I've been blocked for weeks on this. Does anyone have any ideas to help me? > > Thank you! > > Claudia > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
