[30995] in Kerberos
MIT Kerberos + Windows 2K3 AD Kerberos Cross-Realm TGT Issue using
daemon@ATHENA.MIT.EDU (Jason D. McCormick)
Thu Apr 16 10:38:05 2009
From: "Jason D. McCormick" <jasonmc@sei.cmu.edu>
To: "'kerberos@mit.edu'" <kerberos@mit.edu>
Date: Thu, 16 Apr 2009 10:36:47 -0400
Message-ID: <81BFFE1EFAD6894D9992C1B6D2A255B5CFEFFF27BE@EXCHANGE.sei.cmu.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0235588632=="
Errors-To: kerberos-bounces@mit.edu
--===============0235588632==
Content-Language: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_0AE0_01C9BE7F.3EACB600"
------=_NextPart_000_0AE0_01C9BE7F.3EACB600
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hello all,
Haven't found the answer to this one on Google or in mailing list archives.
If someone has a ready-made answer for me, just point the way....
I'm working on a project that is consolidating two different authentication
domains, their users and their services. There is a long-standing MIT
Kerberos realm that for this question I'll call EXAMPLE1.COM. There is also
a new Windows 2003R2 Active Directory Forest comprising of two domains, a
top-level "empty" forest root AD-ROOT.EXAMPLE2.COM and the populated general
domain AD.EXAMPLE2.COM. We've established a bi-directional trust between
EXAMPLE1.COM and AD.EXAMPLE2.COM (but not between AD-ROOT.EXAMPLE2.COM and
EXAMPLE1.COM). There is appropriate Kerberos-related DNS records published
for both domains example1.com and example2.com.
Users in either domain/realm using Linux have no problems getting and using
Kerberos tickets, TGTs and subsequent service tickets in either direction -
EXAMPLE1.COM users -> AD.EXAMPLE2.COM services and AD.EXAMPLE2.COM users ->
EXAMPLE1.COM services. Additionally, users on Windows XP using Kerberos
for Windows/Network Identity Manager *and* using services/applications that
reply on the "API" credential cache have no problems working in either
direction. An example is OpenAFS or Firefox with
network.auth.use-sspi=false set. This all works fine and seamlessly as one
would expect.
However we are having problems with users of Windows XP who are logging in
to AD.EXAMPLE2.COM acquiring the cross-realm TGTs (i.e.
ktbtgt/EXAMPLE1.COM@AD.EXAMPLE2.COM) and service tickets to use EXAMPLE1.COM
for any application that uses the MSLSA/SSPI credential cache (e.g. Internet
Explorer, Outlook, Firefox with network.auth.use-sspi=true). From our
investigation, Windows never appears to be making any DNS-based domain/realm
lookups (based on wireshark and DNS query logging) nor does there appear to
be any way to hard-code domain-realm mappings into the registry to tell the
SSPI cache how to act. We do have hard-coded domain-realm mappings in
Network ID Manager, but SSPI (rightfully I believe) ignored this. Any
GSSAPI or SPNEGO authentication attempt fails with a general error about
lacking authorized credentials.
We've explored various netdom.exe settings (many of which require the trust
to be at the forest root level), some registry settings, user mapping
changes and other items all with no effect. We've contemplated adding a
trust between AD-ROOT.EXAMPLE2.COM and EXAMPLE1.COM but there's no
documentation that we can find that indicates that'll be helpful.
I guess my question is how do we either force domain-realm DNS lookups to
happen or otherwise force the SSPI credential cache to get a TGT for the
cross-realm trust? Can anyone point me to our configuration error or help
out?
Thanks in advance.
- Jason
------=_NextPart_000_0AE0_01C9BE7F.3EACB600
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUkDCCBDow
ggMioAMCAQICAQUwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4g
R292ZXJubWVudDEMMAoGA1UECxMDRUNBMRYwFAYDVQQDEw1FQ0EgUm9vdCBDQSAyMB4XDTA4MDQw
NDE0MjQ0OVoXDTI4MDMzMDE0MjQ0OVowTTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292
ZXJubWVudDEMMAoGA1UECxMDRUNBMRYwFAYDVQQDEw1FQ0EgUm9vdCBDQSAyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5DYHu+a7W5HsUZhRo2jVgicSjLHRfLSpKRmvn49l4Dv6ddr
6eDAO43i+BL6EzWkzVqGi7DQLzSM9wXth2+nMBfQFsZYRr2V+VYaiNROHn5YHxuicxWdXosGJBN2
PJ9gYq2wtfTgJMFT99kcNx3mPPD60/H5oZjxN4XYzwJg8KA4lEtRKAnCF/xApGF5DrSMGyCCYvXk
mtYpijb6H4HAoRExS/5W/di/UZMnWdr1gz5EpN/VIGfrnwCn+94xtmMxHD33HGwJjX/0upyofB8B
xoBtAQHYN6j+LX0rwsvW6Zy6lI12Ft7MgXUEe0F3FWUVyawAtr/rHNy5jWQt/zXbxQIDAQABo4IB
IzCCAR8wHQYDVR0OBBYEFO3kh9AnxFDmhDr3zPfrOkn8Uk4hMA4GA1UdDwEB/wQEAwIBhjAPBgNV
HRMBAf8EBTADAQH/MIHcBggrBgEFBQcBCwSBzzCBzDBDBggrBgEFBQcwBYY3aHR0cDovL2NybC5n
ZHMuZGlzYS5taWwvZ2V0SXNzdWVkQnk/RUNBJTIwUm9vdCUyMENBJTIwMjCBhAYIKwYBBQUHMAWG
eGxkYXA6Ly9jcmwuZ2RzLmRpc2EubWlsL2NuJTNkRUNBJTIwUm9vdCUyMENBJTIwMiUyY291JTNk
RUNBJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTP2Nyb3NzQ2VydGlmaWNhdGVQYWly
O2JpbmFyeTANBgkqhkiG9w0BAQUFAAOCAQEASswb54WIkyPZub7PuvE1lMFLPBNwXYMuTn7BVg8t
wX4fDend/gKZfGDjhqq5hiPDF37HEQ/j0EJWoxzzcI+xiJG1vA6JJWbIP182Kg4+tmdAjD1A36di
4DgY+iRtLSPTwLh0XpVEVHohlw9azcP8lT0iIhXdGGBdhTepTfeB/L1KpliMT7/HZaH/4tM0SBoX
ATLyhPPeBbJkSZg3zSH1qIFbZMXafFiwYWEfrcCt7TS2lKvHnOxllymFlJQzxDUkiz3N/Dcqu/qk
thuQ8pVXF0jg76mdrQDisWTZZ3kRg7ma6AsyNs4gZ+N6bUvqXlPlLzBB3fjlVJ2p12nGddlFRzCC
BOswggPToAMCAQICEEPv98mpmrBY/wMZiSWCqgwwDQYJKoZIhvcNAQEFBQAwgZkxCzAJBgNVBAYT
AlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0VDQTEiMCAGA1UECxMZQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdGllczE+MDwGA1UEAxM1VmVyaVNpZ24gQ2xpZW50IEV4dGVybmFs
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDgxMjEwMDAwMDAwWhcNMDkxMjEwMjM1
OTU5WjCBjTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMD
RUNBMRcwFQYDVQQLEw5WZXJpU2lnbiwgSW5jLjEjMCEGA1UECxQaQ2FybmVnaWUgTWVsbG9uIFVu
aXZlcnNpdHkxGDAWBgNVBAMTD0phc29uIE1jQ29ybWljazCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA4FvQ3qNNgR2/fsrt9s6gjsrU2C2S621N8XFd9qCiz/IXfiiL8dNB/Yobt66ZLI91Wdg5
Xy+OpZyniOwQVDj16IK2QGEXIKKB3cAMbhLjnXDoLSqo/U4qUQS1DLsTfKMOej/PJomj+iFI5NBk
H5kLMYWS0/mGqFLeIZ1wqixoCeECAwEAAaOCAbswggG3MFEGA1UdHwRKMEgwRqBEoEKGQGh0dHA6
Ly9lY2EtY2xpZW50LWNybC52ZXJpc2lnbi5jb20vVmVyaVNpZ25FQ0EyMDQ4L0xhdGVzdENSTC5j
cmwwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBTqx5HHHfy4CcttnqIIgufNJMb/djAfBgNVHSME
GDAWgBQNT8LF2hOQIhfdUFwK9CFL/HIoGjAeBgNVHREEFzAVgRNqYXNvbm1jQHNlaS5jbXUuZWR1
MIGABggrBgEFBQcBAQR0MHIwPwYIKwYBBQUHMAKGM2h0dHBzOi8vZWNhMjA0OC52ZXJpc2lnbi5j
b20vQ0EvVmVyaVNpZ25FQ0EyMDQ4LmNlcjAvBggrBgEFBQcwAYYjaHR0cDovL2VjYS1jbGllbnQt
b2NzcC52ZXJpc2lnbi5jb20wUgYDVR0gBEswSTBHBgpghkgBZQMCAQwBMDkwNwYIKwYBBQUHAgEW
K2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2VjYS9jcHMwGwYDVR0JBBQwEjAQ
BggrBgEFBQcJBDEEEwJVUzANBgkqhkiG9w0BAQUFAAOCAQEAI6P5aPh6NFcn0cYthFK6U/O/eVzB
/OriwB0XONV+IpJHkou6FW5IqjOAcOF57giK0NpNDzW/trFHyyRd6sJGOlTbIU7+fv/MXKci0xOT
5BjUaeJhQOMb+IEBn5qfY1oS0BL67noS/clfvzRnOE1B3c2WpMfLRN9vVa8JxYzFBJLBzWqeC7Gh
UMP2UqGtqq0T2+9Ay6wXUxq6G1gz+PW4lW0SSlZoYHDMwPTaZMSa0KrCyEm/p3qEGhLbkij0rtAO
b3BEhelXi6Wq12cf+ia9XrmH2oHsMIBzpJj0fa3O14OCHl012uB0PcHDsnUJXDpZu5yAOcRgNrgd
8+eEYdlDijCCBW8wggRXoAMCAQICEBV+hQ+AEolEu5WJ07D08iAwDQYJKoZIhvcNAQEFBQAwgZkx
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0VDQTEiMCAG
A1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczE+MDwGA1UEAxM1VmVyaVNpZ24gQ2xpZW50
IEV4dGVybmFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDgxMjEwMDAwMDAwWhcN
MDkxMjEwMjM1OTU5WjCBjTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEM
MAoGA1UECxMDRUNBMRcwFQYDVQQLEw5WZXJpU2lnbiwgSW5jLjEjMCEGA1UECxQaQ2FybmVnaWUg
TWVsbG9uIFVuaXZlcnNpdHkxGDAWBgNVBAMTD0phc29uIE1jQ29ybWljazCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMMP18KGMddDbojXl3PV3Q6S+ZKDdrma2UOVT4/VXn52pusk96Du
yaZidrLqhi29VDYdJwbrRjvYTmuwGOAUZxFaUKjSpoIBKcMKT0gXR+S6V3h1azTqLCEcKXtGHLOk
kS5b8w4izHahKkC9NJB8Qc/jTykjD/35T0hRd+hucusJe39KW3TQjV2ZQwwe02k2YjfaB+PrblbU
+o2uKN1OiQqBGgZCnMT37fNVoqura3IfcsjGfZ3CAyqn/Kg1n06AoezZESYCwwycvwFF0yeOGbjr
9FVhEBS72ObVaNcaDb8Qn14Q5+YqWZ3a3RbtYucTBXa6P6gMDaJsjnrqEUdC3ocCAwEAAaOCAbsw
ggG3MFEGA1UdHwRKMEgwRqBEoEKGQGh0dHA6Ly9lY2EtY2xpZW50LWNybC52ZXJpc2lnbi5jb20v
VmVyaVNpZ25FQ0EyMDQ4L0xhdGVzdENSTC5jcmwwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBQH
vhtHKPpHbiitw7GuTM8KJrwPDjAfBgNVHSMEGDAWgBQNT8LF2hOQIhfdUFwK9CFL/HIoGjAeBgNV
HREEFzAVgRNqYXNvbm1jQHNlaS5jbXUuZWR1MIGABggrBgEFBQcBAQR0MHIwPwYIKwYBBQUHMAKG
M2h0dHBzOi8vZWNhMjA0OC52ZXJpc2lnbi5jb20vQ0EvVmVyaVNpZ25FQ0EyMDQ4LmNlcjAvBggr
BgEFBQcwAYYjaHR0cDovL2VjYS1jbGllbnQtb2NzcC52ZXJpc2lnbi5jb20wUgYDVR0gBEswSTBH
BgpghkgBZQMCAQwBMDkwNwYIKwYBBQUHAgEWK2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBv
c2l0b3J5L2VjYS9jcHMwGwYDVR0JBBQwEjAQBggrBgEFBQcJBDEEEwJVUzANBgkqhkiG9w0BAQUF
AAOCAQEAEKRKLoV7Hc0tgzhbFIVXTA130BmySTS2GJvVbblDnEjVP8+YbA857RVEMcg6eGGt3WsF
70iLcU297S60ZA/0Xc54eQ7HrZ7XP+SKGGQqZfEbF0reOC9/9C+9pVL8v/xCpG230WNQxJvBr3O/
lkZr+4aU5Ea/9ffPvQ3fo6wWoWjLB38si/LM08bm0LoMk8YmCXD62aGhrEfpjNnUm3r8nCkEbFwd
rYUrnF2aJ9YJQaZXDwU1wicnaYsxAGMuhh7ztcdz4sSCYcClFpsz5tfxK6JSTZ6Cw0qq3lupcNat
VHqdKXHjqBJ7Wv6yGcJJ5U+Rl5ocnQP/VrpNS3mufiOg4jCCBewwggTUoAMCAQICAQowDQYJKoZI
hvcNAQEFBQAwTTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE
CxMDRUNBMRYwFAYDVQQDEw1FQ0EgUm9vdCBDQSAyMB4XDTA4MDcwMjE0NDExOFoXDTE0MDcwMTE0
NDExOFowgZkxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT
A0VDQTEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczE+MDwGA1UEAxM1VmVyaVNp
Z24gQ2xpZW50IEV4dGVybmFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8C57rjfKGaA2AJDjO5iF4XodgHbBf2g1wjmLii7yMBoxC
KybKk9OotZyJBxX+8Rj+D4PbVKBTuqCISY6pE3QkTubjoTzfFBDxZmNfqSNB8Y8/4ogPNHOQHXNn
zB5o7no3GBZf1I4TIxTLmcQuXup7fz5qjC0cBdLBMZS4hIuqR3YE87deifcwkp9x93wsdh9z8X6S
LPPCsan9rT9Hkj91SCOAs6QksAKqpYy3VkXHn3wCAoGxcekKT7MjLb8ruSUZiWG2IfbpiS8Nb5DB
Bpdhi2w9vM8jinpNML16qXoLWmMsLxgOT0sdTKgI8XZAIIxVNge3aTXp1KeW/K+12dkXAgMBAAGj
ggKIMIIChDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAtBgNVHREEJjAkpCIw
IDEeMBwGA1UEAxMVUHJpdmF0ZUxhYmVsNC0yMDQ4LTgxMB0GA1UdDgQWBBQNT8LF2hOQIhfdUFwK
9CFL/HIoGjAfBgNVHSMEGDAWgBTt5IfQJ8RQ5oQ698z36zpJ/FJOITAzBgNVHSAELDAqMAwGCmCG
SAFlAwIBDAEwDAYKYIZIAWUDAgEMAjAMBgpghkgBZQMCAQwDMIHIBgNVHR8EgcAwgb0wNKAyoDCG
Lmh0dHA6Ly9jcmwuZGlzYS5taWwvZ2V0Y3JsP0VDQSUyMFJvb3QlMjBDQSUyMDIwgYSggYGgf4Z9
bGRhcDovL2NybC5nZHMuZGlzYS5taWwvY24lM2RFQ0ElMjBSb290JTIwQ0ElMjAyJTJjb3UlM2RF
Q0ElMmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
TGlzdDtiaW5hcnkwge4GCCsGAQUFBwEBBIHhMIHeMD8GCCsGAQUFBzAChjNodHRwOi8vY3JsLmRp
c2EubWlsL2dldElzc3VlZFRvP0VDQSUyMFJvb3QlMjBDQSUyMDIwgZoGCCsGAQUFBzAChoGNbGRh
cDovL2NybC5nZHMuZGlzYS5taWwvY24lM2RFQ0ElMjBSb290JTIwQ0ElMjAyJTJjb3UlM2RFQ0El
MmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jv
c3NDZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5MA0GCSqGSIb3DQEBBQUAA4IBAQCyXkDOC2RHPINhBWp6
cYImKaOZa6LAxmw3HGz14s7m1qvgLEXcKJkVX8SzjC8mmVFrNsNgCb+8i9+WzQjilnQAk49311PJ
IVbVeQbAjUngT9c2r3+4Y0KVWJHo6ZghvAzGxqye5gupmpKpnf0v1Sox1c5v4g19zCoSEurI6EhI
FNioTOUihSdLfHqGdQeZKZZ3xq9cgJ2FyjyU0FZ1np7u7zQSvbtCwtV3bH5qMCbXC4YlPH+N17Kf
/77t0v/U4P0xytizLUewGA0hYD9vmGsD6kPxJUiGaB1CUH20ygL7I19efJF7J2NsLx9lnTDKR5o+
xr4pCMP7T/+8Pf7sHuphMYID4zCCA98CAQEwga4wgZkxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9V
LlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0VDQTEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRo
b3JpdGllczE+MDwGA1UEAxM1VmVyaVNpZ24gQ2xpZW50IEV4dGVybmFsIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5IC0gRzICEBV+hQ+AEolEu5WJ07D08iAwCQYFKw4DAhoFAKCCAgkwGAYJKoZIhvcN
AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDkwNDE2MTQzNjQ3WjAjBgkqhkiG9w0B
CQQxFgQUPJQoTLPintP4Q+ASiI4KJSuQX2wwJAYJKoZIhvcNAQkPMRcwFTAKBggqhkiG9w0DBzAH
BgUrDgMCGjCBvwYJKwYBBAGCNxAEMYGxMIGuMIGZMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5T
LiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9y
aXRpZXMxPjA8BgNVBAMTNVZlcmlTaWduIENsaWVudCBFeHRlcm5hbCBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eSAtIEcyAhBD7/fJqZqwWP8DGYklgqoMMIHBBgsqhkiG9w0BCRACCzGBsaCBrjCBmTEL
MAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRUNBMSIwIAYD
VQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMT4wPAYDVQQDEzVWZXJpU2lnbiBDbGllbnQg
RXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMgIQQ+/3yamasFj/AxmJJYKqDDAN
BgkqhkiG9w0BAQEFAASCAQA7OhelSYp3kglEfuBBaJS4cfzBgeRwfYnhgSNkvkwmFILhQ+koTYjW
cwJNn0lSwunkbfzfHdrguGWQ7XVJbC6UdTg/FUJgs8zew1CgI4qMHgfcFRUB7Rsakquhm8eSR7m7
8Bv0RwqxTm7PkLj3nEkkri/eJ4qbITR1m4Go2NvVeB7VwDQGI/T60gxDFCut/qeXu3eO+n0YAFkk
kxEdIQRGwcg9UVZMgElS3PULUU1suL84KiASiYH6pSqqReKVPExgshlXZooGVPaB10t1jecyLquJ
B7SAhkAxLn6eor172+EqvDi3zABRCoH3dpk+tkvlpYb3vuYsNVrfl0vIc6lvAAAAAAAA
------=_NextPart_000_0AE0_01C9BE7F.3EACB600--
--===============0235588632==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0235588632==--
