[30057] in Kerberos
Re: Cross-realm authentication Windows AD - MIT
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jun 30 12:52:38 2008
To: Wouter Verhelst <wouter@nixsys.be>
In-Reply-To: <20080627110208.GC3281@country.nixsys.be> (Wouter Verhelst's
message of "Sun\, 29 Jun 2008 17\:34\:47 +0200")
From: Russ Allbery <rra@stanford.edu>
Date: Mon, 30 Jun 2008 09:50:41 -0700
Message-ID: <87myl2j28u.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Wouter Verhelst <wouter@nixsys.be> writes:
> Now when I try to do cross-realm authentication from a Windows host, it
> does not seem to work. The steps I've taken include:
>
> - set up cross-realm authentication: I have a one-way "incoming" trust
> relationship in Windows, and created a
> "krbtgt/MIT-REALM@WINDOWS-REALM" principal in kadmin, with the same
> password (a 40-character random string that was copy-pasted in both
> cases). The trust is a "realm" trust, not a "domain trust", to account
> for the differences between Windows "Kerberos" and the actual
> protocol.
For what it's worth, Windows Kerberos is the actual protocol. Except for
some issues around PKINIT, which aren't really Microsoft's fault, and the
bugs that any implementation will have, Windows Kerberos follows the
protocol just like everyone else. The PAC is allowed for in the protocol.
Microsoft does deserve negative press for some things around how they
handled the PAC situation, but protocol compliance isn't one of them.
Microsoft Windows KDCs interoperate quite well with the rest of the
world.
> What's peculiar is that in the final two steps, the windows system
> doesn't even seem to request cross-realm kerberos tickets; it doesn't
> get a TGT, nor does it try to contact the MIT kerberos server.
I think you have a one-way trust going the wrong way for what you're
trying to do. You need an outgoing trust from Windows to MIT for the
Windows client to get cross-realm tickets with MIT.
Why not just set up full bidirectional trust? That's what we do and I can
confirm that once that trust is set up, what you're trying to do works
just fine; we do exactly the same thing for our central web authentication
system.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
