Re: Accessing an AD domain that is using MIT Kerberos Integration?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

That computer that is not a member, is it a *nix machine by chance?
What is the error that comes back and what ends up in the security event
logs during the event?




"Joel D. Kraft" <jdkraft2@xxxxxxxxxxxxx> wrote in message
news:OsGtvyoqFHA.2592@xxxxxxxxxxxxxxxxxxxxxxx
>I am working with an active directory domain that has implemented
> single sign-on by creating a realm trust between the organization's
> active directory domain and an existing MIT Kerberos realm.
>
> AD.COMPANY.COM <-trust- REALM.COMPANY.COM
>
> All of the user accounts are mapped from the realm to AD user
> accounts, and the actual user account passwords are unknown.
> I would log into a domain computer, say server.company.com,
> as the user me@xxxxxxxxxxxxxxxxx with my Kerberos password.
>
> This works all fine and dandy when everyone is in the AD. But
> in a heterogeneous environment, this isn't quite as nice. The
> problem occurs when you want to access a share like
> \\server.company.com\myshare from a computer that is NOT a member
> of the AD.COMPANY.COM domain.
>
> Is this even possible? It seems that it *should* be, but it
> is definitely not as easy as using me@xxxxxxxxxxxxxxxxx or
> me@xxxxxxxxxxxxxx along with the Kerberos password when mapping
> a drive. I have already used ksetup /addkdc and /addkpasswd
> to let the client know about the location of the kerberos servers
> for the realm.
>
> Which ticket would be required to successfully authenticate? Is
> there a way to actually obtain that ticket from within windows, so
> that it can be seen by klist...even if it is an additional step?!?
>
> And then lets go one step further. Let say that the client
> machine trying to make the connection is in a different AD domain
> without any current relationship to the AD.COMPANY.COM domain.
> Would establishing an outoing realm trust between this second
> AD domain and REALM.COMPANY.COM or an outgoing external trust
> between it and AD.COMPANY.COM make the process easier?!
>
> Any helpful insights or pointers to good documentation are greatly
> appreciated!!!
>
> Joel
>
>
>


.

Relevant Pages

  • Accessing an AD domain that is using MIT Kerberos Integration?
    ... active directory domain and an existing MIT Kerberos realm. ... All of the user accounts are mapped from the realm to AD user ... as the user me@xxxxxxxxxxxxxxxxx with my Kerberos password. ... Would establishing an outoing realm trust between this second ...
    (microsoft.public.windows.server.active_directory)
  • Access Domain that is using MIT Kerberos Integration
    ... active directory domain and an existing MIT Kerberos realm. ... All of the user accounts are mapped from the realm to AD user ... as the user me@REALM.COMPANY.COM with my Kerberos password. ... Would establishing an outoing realm trust between this second ...
    (microsoft.public.windows.server.security)