[30921] in Kerberos
Re: Kerberos authetication against multiple Windows Domains
daemon@ATHENA.MIT.EDU (Markus Moeller)
Tue Mar 24 20:08:53 2009
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Wed, 25 Mar 2009 00:04:01 -0000
Message-ID: <gqbskd$d6d$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <3154FEBCFB92804DA39A2560E17183760341FE80@ukaprdembx02.rd.astrazeneca.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Earl, Kevan C" <Kevan.Earl@astrazeneca.com> wrote in message
news:3154FEBCFB92804DA39A2560E17183760341FE80@ukaprdembx02.rd.astrazeneca.net...
> Hello,
>
> I'm after some advice on how to configure Kerberos v5 to authenticate
> users from different Windows domains to the same Apache hosted
> application. Is this possible? If so, is there a simple guide on what
> needs to be done in order to achieve it that can be shared with me?
>
> I have Kerberos v5 installed with a Kerberos-capable version of Apache on
> AIX 5.3.
> I have had a keytab file generated in the Windows "EU" domain, and have
> configured the server so the application authenticates users from the "EU"
> domain.
>
> /etc/krb5.conf is similar to:
>
> [libdefaults]
> default_realm = EU.COMPANY.NET
>
> [realms]
> EU.COMPANY.NET = {
> kdc = eudc01.eu.company.net
> admin_server = eudc01.eu.company.net
> default_domain = eu.company.net
> }
>
> [domain_realm]
> .svr_domain.company.net = EU.COMPANY.NET
> svr_domain.company.net = EU.COMPANY.NET
>
> What do I need to do in order to also authenticate users from the
> companies "US" domain, which is controlled by separate domain
> controller(s), to the application?
>
If the domains have a trust you son't need to do anything. If they don't
have trust then you need to create a second keytab entry for the host in the
US DC with a sceond DNS name.
e.g. In the EU domain the server is server.eu.company.net with a key
HTTP/server.eu.company.net@EU.COMPANY.NET in eudc01 and in the US domain the
sever is server.us.company.net with a key
HTTP/server.us.company.net@US.COMPANY.NET in usdc01.
Merge both keys in one keytab for apache and configure the apache kerbereos
module to accept all names (I think it is KrbServiceName Any in
mod-auth-kerb)
> Any help anyone can give me would be very greatfully received.
>
> Regards,
> Kevan Earl
>
Regards
Markus
>
> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with
> registered number: 03674842 and a registered office at 15 Stanhope Gate,
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain
> confidential, proprietary and legally privileged information. If you have
> received this message in error, please notify us and remove it from your
> system and note that you must not copy, distribute or take any action in
> reliance on it. Any unauthorised use or disclosure of the contents of this
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception,
> non-delivery and unauthorised alterations. Therefore, information
> expressed in this message is not given or endorsed by AstraZeneca UK
> Limited unless otherwise notified by an authorised representative
> independent of this message. No contractual relationship is created by
> this message by any person unless specifically indicated by agreement in
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and
> content for the purposes of the prevention and detection of crime,
> ensuring the security of our computer systems and checking Compliance with
> our Code of Conduct and Policies.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos