[33062] in Kerberos
Re: Cross realm authentication
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Fri Jan 7 05:33:39 2011
Message-ID: <4D26EBF3.6010301@mproehl.net>
Date: Fri, 07 Jan 2011 11:33:23 +0100
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: krbmit siso <krbmit@gmail.com>
In-Reply-To: <AANLkTi=k4GhibBmhJAH1sqb2WVyVudZK1wTozzbcPbKS@mail.gmail.com>
Cc: sudhakar@samsung.com, kerberos@mit.edu
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 01/06/2011 05:02 AM, krbmit siso wrote:
> Hi Mark,
>
> Please find the attached capture for cross realm setup . I did not
> understand why do you require
> 2 TGS-REQ going from client , please shed some light on the same .
the following sketch shows the principals involved in cross realm
authentication:
cient realm-1 KDC
client@REALM1 -> krbtgt/REALM1@REALM1
^
|
TRUST
krbtgt/REALM2@REALM1
krbtgt/REALM1@REALM2
|
v
service <- realm-2KDC
service@REALM2 krbtgt/REALM2@REALM2
cross realm authentication usually works this way (scenario-1):
step 1: client requests a TGT in his realm: AS-REQ/AS-REP for
krbtgt/REALM1@REALM1
step 2: client decides that service belongs to REALM2 (by client
configuration, dns topology or kdc referrals)
step 3: client request a cross-realm TGT for REALM2 by TGS-REQ to
realm-1 KDC: krbtgt/REALM2@REALM1
step 4: client request a service ticket for service@REALM2 by TGS-REQ to
realm-2 KDC. clients presents krbtgt/REALM2@REALM1
that is why two TGS request are sent from a client in a typical scenario.
your cross realm scenario (from wireshark capture) looks this way
(scenario-2):
step 1: client request a cross-realm TGT for REALM2 by AS-REQ to realm-1
KDC for krbtgt/REALM2@REALM1
step 2: client request a service Ticket for service@REALM2 by TGS-REQ to
realm-2 KDC. clients presents krbtgt/REALM2@REALM1
that should work as well but is not the usual way.
The problem could be caused by your client or the trust setup between
the two windows domains.
To test the trust setup you should simulate the client by using kinit
and kvno from MIT Kerberos:
simulate scenario-1: kinit client@REALM1; kvno service@REALM2
simulate scenario-2: kinit -S krbtgt/REALM2@REALM1 client@REALM1; kvno
service@REALM2
your krb5.conf or DNS SRV records should provide the configuration for
both realms.
if that works then your trust setup is ok.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
