Re: Windows 2008 Trust To MIT Kerberos Server

---

• From: "Joseph T Corey" <jcorey@xxxxxxxxxxxxxx>
• Date: Tue, 3 Jun 2008 16:15:31 -0400

---

That's actually an incorrect representation of how Kerberos works in a cross-realm scenario. When setup correctly, the process is as follows after the user enters their login info (assuming they're logging in to KRB5DOMAIN.MYDOMAIN.COM):

1) Windows requests an initial TGT from the MIT realm (krbtgt/KRB5DOMAIN.MYDOMAIN.COM)
2) Windows then obtains a service ticket from the MIT realm (krbtgt/KRB5DOMAIN.MYDOMAIN.COM) with the forwarded and forwardable flags set
3) Windows then obtains a service ticket from the MIT realm for AD.MYDOMAIN.COM (krbtgt/AD.MYDOMAIN.COM) with just the forwardable flag set - no initial flag
4) With that TGT from the MIT realm, Windows is now able to obtain an LDAP service ticket from Active Directory (ldap/DC.AD.MYDOMAIN.COM)

The TGS from KRB5DOMAIN.MYDOMAIN.COM is used to obtain all further tickets for Active Directory services (i.e. HTTP, CIFS, etc)

The tickets are verified between domains because they're encrypted with the interdomain secret created by each trusting domain.

I'm not a Kerberos expert like some, but I'm fairly sure this is a pretty accurate representation of how this process works. Feel free to poke holes in any part.
--
Joseph T. Corey MCSE, Security+
Systems Administrator
http://joecorey.wordpress.com/

"William Holmes" <wtholmes@xxxxxxxxxxx> wrote in message news:%23Xx9RJbxIHA.4268@xxxxxxxxxxxxxxxxxxxxxxx

Hello,

I'm not sure that you statement is actually true with respect to the configuration I am setting up. I have setup a trust between an Active Directory Domain and a MIT Kerberos Domain. That being said:

I want to use the MIT Kerberos Domain to Authenticate a mapped Active Directory User.

That is:

myuser@xxxxxxxxxxxxxxxxxxxxxxx is mapped to a user named myuser in the Active Directory Domain.

Then the user logs on they user their password from KRB5DOMAIN.MYDOMAIN.COM and receives their TGT from the MIT Kerberos Domain. Those tickets are trusted by the Active Directory Domain (because I setup the trust) and the kerberos principle is mapped to an Active Directory User which again I have setup using the Security Identity Mapping in Active Directory Users And Computers.

When the Domain Controller receives the MIT credentials it should forward them to the MIT Kerberos Server and that is not happening. Again this is a Windows 2008 Active Directory Server set to Windows 2003 Functional Level

Bill



"Joseph T Corey" <jcorey@xxxxxxxxxxxxxx> wrote in message news:8168EFDE-187F-43EE-8CA5-E94D946784BF@xxxxxxxxxxxxxxxx

This would be by design. MIT KDCs and AD KDCs do not communicate directly.

Also, what is the scenario you're trying to accomplish? Are you using the MIT realm as an account domain, a resource domain, or some other scenario?

--
Joseph T. Corey MCSE, Security+
Systems Administrator
http://joecorey.wordpress.com/

"William Holmes" <wtholmes@xxxxxxxxxxx> wrote in message news:OuSHUSaxIHA.3680@xxxxxxxxxxxxxxxxxxxxxxx

Hello,

I am trying to setup a cross-realm trust from Windows 2008 to MIT Kerberos. I have setup the trust but when attempting to authenticate with the MIT realm I am not seeing any traffic between the Windows 2008 Domain Controller and the MIT Kerberos Server. The Windows 2008 AD is running at the 2003 Functional Level.

Any ideas on why the auth request is might not be going out. I am using the Network monitor to look at traffic between the two servers and nothing is going between them.

Thanks

Bill

.

---

• Follow-Ups:
  • Re: Windows 2008 Trust To MIT Kerberos Server
    • From: William Holmes

• References:
  • Windows 2008 Trust To MIT Kerberos Server
    • From: William Holmes
  • Re: Windows 2008 Trust To MIT Kerberos Server
    • From: Joseph T Corey
  • Re: Windows 2008 Trust To MIT Kerberos Server
    • From: William Holmes

• Prev by Date: Re: Attributes that Update during Computer logon
• Next by Date: Re: AD Enabled Apps
• Previous by thread: Re: Windows 2008 Trust To MIT Kerberos Server
• Next by thread: Re: Windows 2008 Trust To MIT Kerberos Server
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AD, pam and Kerberos? ... For the multi-realm setup with the Active Directory only you can look at ... Each domain translates into each own Kerberos REALM as far ... I'd like to use kerberos for the password lookup in the Linux system ... (comp.protocols.kerberos) Microsoft Active Directory security vulnerability ... Kerberos V (for information on Kerberos interoperability see ... return results from the Active Directory. ... My guess is that Microsoft does not check for a zero value ... nor did I test it with simple authentication. ... (Bugtraq) Kerberos 5 Security Alert? ... Why wasn't there a FreeBSD security alert for Kerberos 5? ... Vulnerabilities in MIT Kerberos 5 ... arbitrary code on a KDC server, ... (FreeBSD-Security) updated patch: MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized point ... The MIT Kerberos Team has discovered a problem with the originally ... kadmind RPC lib buffer overflow, ... See DETAILS for the expanded CVSSv2 metrics for this vulnerability. ... The MIT krb5 Kerberos administration daemon is vulnerable to ... (comp.protocols.kerberos) Re: Windows 2008 Trust To MIT Kerberos Server ... What method did you use to point your client to the MIT realm? ... However my point is that there is no traffic happening between my Active Directory Server and the MIT Kerberos Server. ... I can connect between the AD and MIT Kerberos server using other protocols like RDP and SSH as well as ping both directions but Windows is never requesting a TGT from the MIT Kerberos Server. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2008-06