Can you do a capture of the kerberos network traffic (port 88) with wireshark on the client machine? that should include all kerberos exchanges:
client -> AS-REQ --> realm1 kdc client <- AS-REP <-- realm1 kdc client -> TGS-REQ -> realm1 kdc client <- TGS-REP <- realm1 kdc client -> TGS-REQ -> realm2 kdc client <- KDC-ERR <- realm2 kdc Can you provide more information about the client that does the cross realm request (Windows, MIT Kerberos, Java, ...) On 01/05/2011 10:23 AM, krbmit siso wrote: > Hi Mark, > Thanks fo rthe reply and interest. > The Client in realm1 sends AS-REQ to realm1 kdc with following info > * > AS-REQ info* > Client Name (Enterprise Name): [email protected] > <mailto:[email protected]> ( I am using domain itself as realm ) > Realm: realm1.com > <http://realm1.com> > > Server Name (Principal): krbtgt/realm2.com <http://realm2.com> > > I have added 2 way trust in realm1 Active Directory Domains and trusts > of windows 2003 server. > I have also added 2 way trust in realm2 Active Directory Domains and > trusts of windows 2008 server > but the TRUST is no visible. > > *Server Principal Names in TGS-REQ.* > Padata field -> Contents in the TICKET which is visible > Tkt-vno: 5 > Realm: realm1.com <http://realm1.com/> > Server Name (Principal): > krbtgt/realm2.com <http://realm2.com/> > Kdc-Req-body-> > Realm: REALM2.COM <http://realm2.com/> > Server Name (Principal): > ldap/win2003.realm2.com <http://win2003dpdnic.realm2.com/> > > Please revert for any other info > Regards > Naveen > > On Wed, Jan 5, 2011 at 1:29 PM, Mark Pröhl <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > what is the requested service principal name in the tgs request to > relam2 kdc? > > Can you provide more information about the client that does the cross > realm request (Windows, MIT Kerberos, Java, ...) > > Regards, > > Mark Pröhl > > On 01/05/2011 06:47 AM, krbmit siso wrote: > > Hi All, > > > > Please guide me to get cross realm authentication working under > windows 2008 > > server environment. > > I have set up two domain with realm1 and realm 2 in 2 different > windows > > servers. I have added a one > > way trust at realm1 for realm2. The client is in realm1 wants to > access a > > server at realm2 . I got the > > AS-REP with referral ticket for krbtgt/rea...@realm1 from > realm1 KDC > > server , Now the problem is > > the I am sending TGS-REQ to KDC server of realm2 by submitting > referral TGT > > , but the server returns > > with a KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN even though > the principal > > name is the same > > as the name with working condition in single realm setup. > > In Info in TGS req. > > > > Padata field -> > > Tkt-vno: 5 > > Realm: realm1.com <http://realm1.com> > > Server Name (Principal): > krbtgt/realm2.com <http://realm2.com> > > Kdc-Req-body-> > > Realm: REALM2.COM <http://REALM2.COM> > > Server Name (Principal): > ldap/win2003dpdnic.realm2.com <http://win2003dpdnic.realm2.com> > > > > > > Please guide me on identifying and resolve the problem for cross > realm > > authentication. > > > > > > > > Thanks and Regards > > Naveen > > ________________________________________________ > > Kerberos mailing list [email protected] <mailto:[email protected]> > > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ > Kerberos mailing list [email protected] <mailto:[email protected]> > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
