[33062] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Cross realm authentication

daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Fri Jan 7 05:33:39 2011

Message-ID: <4D26EBF3.6010301@mproehl.net>
Date: Fri, 07 Jan 2011 11:33:23 +0100
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: krbmit siso <krbmit@gmail.com>
In-Reply-To: <AANLkTi=k4GhibBmhJAH1sqb2WVyVudZK1wTozzbcPbKS@mail.gmail.com>
Cc: sudhakar@samsung.com, kerberos@mit.edu
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On 01/06/2011 05:02 AM, krbmit siso wrote:
> Hi Mark,
>
> Please find the attached capture for cross realm setup . I did not 
> understand why do you require
> 2 TGS-REQ going from client , please shed some light on the same .

the following sketch shows the principals involved in cross realm 
authentication:

    cient               realm-1 KDC
    client@REALM1  ->   krbtgt/REALM1@REALM1

                              ^
                              |
                            TRUST
                      krbtgt/REALM2@REALM1
                      krbtgt/REALM1@REALM2
                              |
                              v

     service <-   realm-2KDC
     service@REALM2      krbtgt/REALM2@REALM2


cross realm authentication usually works this way (scenario-1):

step 1: client requests a TGT in his realm: AS-REQ/AS-REP for 
krbtgt/REALM1@REALM1
step 2: client decides that service belongs to REALM2 (by client 
configuration, dns topology or kdc referrals)
step 3: client request a cross-realm TGT for REALM2 by TGS-REQ to 
realm-1 KDC: krbtgt/REALM2@REALM1
step 4: client request a service ticket for service@REALM2 by TGS-REQ to 
realm-2 KDC. clients presents krbtgt/REALM2@REALM1

that is why two TGS request are sent from a client in a typical scenario.

your cross realm scenario (from wireshark capture) looks this way 
(scenario-2):

step 1: client request a cross-realm TGT for REALM2 by AS-REQ to realm-1 
KDC for krbtgt/REALM2@REALM1
step 2: client request a service Ticket for service@REALM2 by TGS-REQ to 
realm-2 KDC. clients presents krbtgt/REALM2@REALM1

that should work as well but is not the usual way.

The problem could be caused by your client or the trust setup between 
the two windows domains.
To test the trust setup you should simulate the client by using kinit 
and kvno from MIT Kerberos:

simulate scenario-1: kinit client@REALM1; kvno service@REALM2
simulate scenario-2: kinit -S krbtgt/REALM2@REALM1 client@REALM1; kvno 
service@REALM2

your krb5.conf or DNS SRV records should provide the configuration for 
both realms.

if that works then your trust setup is ok.

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post