Hi Kevin Please help me to solve the cross realm set up Please find the attached captures.
Regards Naveen ---------- Forwarded message ---------- From: krbmit siso <[email protected]> Date: Thu, Jan 6, 2011 at 9:32 AM Subject: Re: Cross realm authentication To: [email protected] Cc: [email protected], [email protected] Hi Mark, Please find the attached capture for cross realm setup . I did not understand why do you require 2 TGS-REQ going from client , please shed some light on the same . Thanks and Regards Naveen On Wed, Jan 5, 2011 at 7:16 PM, Mark Pröhl <[email protected]> wrote: > Can you do a capture of the kerberos network traffic (port 88) with > wireshark on the client machine? that should include all kerberos > exchanges: > > client -> AS-REQ --> realm1 kdc > client <- AS-REP <-- realm1 kdc > client -> TGS-REQ -> realm1 kdc > client <- TGS-REP <- realm1 kdc > client -> TGS-REQ -> realm2 kdc > client <- KDC-ERR <- realm2 kdc > > > Can you provide more information about the client that does the cross > realm request (Windows, MIT Kerberos, Java, ...) > > On 01/05/2011 10:23 AM, krbmit siso wrote: > > Hi Mark, > Thanks fo rthe reply and interest. > The Client in realm1 sends AS-REQ to realm1 kdc with following info > * > AS-REQ info* > Client Name (Enterprise Name): [email protected] ( I am using domain > itself as realm ) > Realm: realm1.com > > Server Name (Principal): krbtgt/realm2.com > > I have added 2 way trust in realm1 Active Directory Domains and trusts of > windows 2003 server. > I have also added 2 way trust in realm2 Active Directory Domains and trusts > of windows 2008 server > but the TRUST is no visible. > > *Server Principal Names in TGS-REQ.* > Padata field -> Contents in the TICKET which is visible > Tkt-vno: 5 > Realm: realm1.com > Server Name (Principal): krbtgt/realm2.com > Kdc-Req-body-> > Realm: REALM2.COM <http://realm2.com/> > Server Name (Principal): ldap/ > win2003.realm2.com <http://win2003dpdnic.realm2.com/> > > Please revert for any other info > Regards > Naveen > > On Wed, Jan 5, 2011 at 1:29 PM, Mark Pröhl <[email protected]> wrote: > >> Hi, >> >> what is the requested service principal name in the tgs request to >> relam2 kdc? >> >> Can you provide more information about the client that does the cross >> realm request (Windows, MIT Kerberos, Java, ...) >> >> Regards, >> >> Mark Pröhl >> >> On 01/05/2011 06:47 AM, krbmit siso wrote: >> > Hi All, >> > >> > Please guide me to get cross realm authentication working under windows >> 2008 >> > server environment. >> > I have set up two domain with realm1 and realm 2 in 2 different windows >> > servers. I have added a one >> > way trust at realm1 for realm2. The client is in realm1 wants to access >> a >> > server at realm2 . I got the >> > AS-REP with referral ticket for krbtgt/rea...@realm1 from realm1 KDC >> > server , Now the problem is >> > the I am sending TGS-REQ to KDC server of realm2 by submitting referral >> TGT >> > , but the server returns >> > with a KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN even though the >> principal >> > name is the same >> > as the name with working condition in single realm setup. >> > In Info in TGS req. >> > >> > Padata field -> >> > Tkt-vno: 5 >> > Realm: realm1.com >> > Server Name (Principal): krbtgt/ >> realm2.com >> > Kdc-Req-body-> >> > Realm: REALM2.COM >> > Server Name (Principal): ldap/ >> win2003dpdnic.realm2.com >> > >> > >> > Please guide me on identifying and resolve the problem for cross realm >> > authentication. >> > >> > >> > >> > Thanks and Regards >> > Naveen >> > ________________________________________________ >> > Kerberos mailing list [email protected] >> > https://mailman.mit.edu/mailman/listinfo/kerberos >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > >
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
