<HTML><HEAD><TITLE>Samsung Enterprise Portal mySingle</TITLE>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<STYLE id=mysingle_style type=text/css>P {
MARGIN-TOP: 5px; FONT-FAMILY: Arial, arial; MARGIN-BOTTOM: 5px;
FONT-SIZE: 9pt
}
TD {
MARGIN-TOP: 5px; FONT-FAMILY: Arial, arial; MARGIN-BOTTOM: 5px;
FONT-SIZE: 9pt
}
LI {
MARGIN-TOP: 5px; FONT-FAMILY: Arial, arial; MARGIN-BOTTOM: 5px;
FONT-SIZE: 9pt
}
BODY {
LINE-HEIGHT: 1.4; MARGIN: 10px; FONT-FAMILY: Arial, arial; FONT-SIZE:
9pt
}
</STYLE>
<META name=GENERATOR content=ActiveSquare></HEAD>
<BODY>
<P>Hi Mark,</P>
<P><STRONG>Thank you for your timely response and
explaination.</STRONG></P>
<P>Also i will be good if you please share some links/pdf on kerberos
cross realm authentication</P>
<P>w.r.t. requests and implementation details like the requests going out
form client .</P>
<P> </P>
<P>Regards</P>
<P>Naveen</P>
<P>------- <B>Original Message</B> -------</P>
<P><B>Sender</B> : Mark Pr�hl<[email protected]></P>
<P><B>Date</B> : Jan 07, 2011 19:33 (GMT+09:00)</P>
<P><B>Title</B> : Re: Cross realm authentication</P>
<P> </P>On 01/06/2011 05:02 AM, krbmit siso wrote:<BR>> Hi
Mark,<BR>><BR>> Please find the attached capture for cross realm setup .
I did not <BR>> understand why do you require<BR>> 2 TGS-REQ going from
client , please shed some light on the same .<BR><BR>the following sketch shows
the principals involved in cross realm
<BR>authentication:<BR><BR> cient
realm-1
KDC<BR> cli...@realm1 ->
krbtgt/rea...@realm1<BR><BR> ^<BR> |<BR> TRUST<BR> krbtgt/rea...@realm1<BR> krbtgt/rea...@realm2<BR> |<BR> v<BR><BR>
service <- realm-2KDC<BR>
serv...@realm2 krbtgt/rea...@realm2<BR><BR><BR>cross
realm authentication usually works this way (scenario-1):<BR><BR>step 1:
client requests a TGT in his realm: AS-REQ/AS-REP for
<BR>krbtgt/rea...@realm1<BR>step 2: client decides that service belongs to
REALM2 (by client <BR>configuration, dns topology or kdc referrals)<BR>step 3:
client request a cross-realm TGT for REALM2 by TGS-REQ to <BR>realm-1 KDC:
krbtgt/rea...@realm1<BR>step 4: client request a service ticket for
serv...@realm2 by TGS-REQ to <BR>realm-2 KDC. clients presents
krbtgt/rea...@realm1<BR><BR>that is why two TGS request are sent from a client
in a typical scenario.<BR><BR>your cross realm scenario (from wireshark
capture) looks this way <BR>(scenario-2):<BR><BR>step 1: client request a
cross-realm TGT for REALM2 by AS-REQ to realm-1 <BR>KDC for
krbtgt/rea...@realm1<BR>step 2: client request a service Ticket for
serv...@realm2 by TGS-REQ to <BR>realm-2 KDC. clients presents
krbtgt/rea...@realm1<BR><BR>that should work as well but is not the usual
way.<BR><BR>The problem could be caused by your client or the trust setup
between <BR>the two windows domains.<BR>To test the trust setup you should
simulate the client by using kinit <BR>and kvno from MIT
Kerberos:<BR><BR>simulate scenario-1: kinit cli...@realm1; kvno
serv...@realm2<BR>simulate scenario-2: kinit -S krbtgt/rea...@realm1
cli...@realm1; kvno <BR>serv...@realm2<BR><BR>your krb5.conf or DNS SRV records
should provide the configuration for <BR>both realms.<BR><BR>if that works then
your trust setup is
ok.<BR><BR>________________________________________________<BR>Kerberos mailing
list
[email protected]<BR>https://mailman.mit.edu/mailman/listinfo/kerberos<BR>
<P> </P>
<P> </P><!--SP:naveen.bn--><!--naveen.bn:EP-->
<P> </P>
<TABLE id=confidentialsignimg>
<TBODY>
<TR>
<TD NAMO_LOCK>
<P><IMG border=0 src="cid:[email protected]"
width=520></P></TD></TR></TBODY></TABLE></BODY></HTML><img
src='http://ext.samsung.net/mailcheck/SeenTimeChecker?do=819bad59c7908697b2d7709a7a17502e1340377536ec945f4b240a564ff6e9cb7c86263f3d414723d2cb7c2a93c43c11a728c55b39cc59eacf878f9a26ce15a0'
border=0 width=0 height=0 style='display:none'>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
