I found a solution (is it a good solution ?) : - I add my client (W7) into my AD.MYREALM (Microsoft Domain) - on the client, I do : ksetup /AddKdc MYREALM
As you see, I don't give the address of the MIT KDC. I can open a session with a MIT KDC user. If I do : ksetup /AddKdc MYREALM kdc1.myrealm, that does not work. What do you think about it ? Jean-Michel 2011/8/26 jm130794 <[email protected]> > Hello Ross, > > With my first client, I added my computer in the Microsoft Domain. After > that, I could log in with my account MIT. I never change anything in the > registry. > > Thanks, > > JM > > > > 2011/8/26 Wilper, Ross A <[email protected]> > > One thing that you did not make clear is if you defined the MIT kerberos >> realm in the registry of the Windows 7 machine. >> (ksetup /AddKDC <realm> <kdc> or just go to >> HKLM\System\CurrentControlSet\LSA\Kerberos\Domains and make a key named the >> same as the realm and add a REG_MULTI_SZ value "KdcNames") >> >> -Ross >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of jm130794 >> Sent: Friday, August 26, 2011 7:41 AM >> To: Robert Wehn >> Cc: [email protected] >> Subject: Re: Cross realm between AD and MIT >> >> Hello, >> >> >> I tried with another client and I have the same problem ! >> >> I can't open a session with user1 (MIT principal). >> >> JM >> >> >> 2011/8/24 Robert Wehn <[email protected]> >> >> > Hi JM >> > >> > might be a dns error. >> > The Client (user) has to guess the realm to the service and often uses >> > dns (for example TXT records) or some registry entry (HostTorealm) to >> > determine the KRB REALM for the service (in this case the local login). >> > >> > Try to wireshark what DNS request a win XP Machine does, when you try to >> > login using Cross Realm Trust >> > Do the same on the Windows 7 Machine. >> > >> > When testing Cross-Realm trust several months ago I had the impression >> > MS changed something there, but i didn't really finish this. >> > Actually it doesn't read out TXT Records which worked fine for WinXP. >> > >> > If you find out something, pleas tell me. >> > >> > Robert. >> > >> > Am 24.08.2011 14:06, schrieb jm130794: >> > > I used wireshark to find why my connection fails. It seems that AD >> > returns >> > > the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the >> > server and >> > > not on the client! >> > > >> > > Regards, >> > > >> > > >> > > JM >> > > >> > > 2011/8/24 jm130794 <[email protected]> >> > > >> > >> Hello >> > >> >> > >> I installed a cross realm between my MIT and an AD. I can open a >> session >> > on >> > >> my AD server with a principal defined in my MIT Kerberos (eg user1). >> > >> >> > >> I added a Windows Seven to my Microsoft Domain. I can open a session >> on >> > >> this station with the Domain Administrator Domain without problem. >> > >> >> > >> When I try to open a session with user1 (MIT principal), that doesn't >> > >> work... >> > >> >> > >> Any idea ? >> > >> >> > >> Thanks, >> > >> >> > >> JM >> > >> >> > >> >> > > ________________________________________________ >> > > Kerberos mailing list [email protected] >> > > https://mailman.mit.edu/mailman/listinfo/kerberos >> > >> > -- >> > >> > Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de >> > Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047 >> > 86135 Augsburg .................................. Fax. (0821) 598-2028 >> > >> > ________________________________________________ >> > Kerberos mailing list [email protected] >> > https://mailman.mit.edu/mailman/listinfo/kerberos >> > >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
