Re: Windows 2008 Trust To MIT Kerberos Server
- From: "Joseph T Corey" <jcorey@xxxxxxxxxxxxxx>
- Date: Wed, 4 Jun 2008 09:18:19 -0400
Is there a client involved here? Or are you logging into your Domain Controller using the Kerberos realm? What method did you use to point your client to the MIT realm?
Also, what traffic are you "expecting" to see? What exactly isn't working? Are you using kerbtray and not seeing any tickets in the cache? Or are you not being authenticated at all with the MIT KDCs?
--
Joseph T. Corey MCSE, Security+
Systems Administrator
http://joecorey.wordpress.com/
"William Holmes" <wtholmes@xxxxxxxxxxx> wrote in message news:%23qpkRGkxIHA.2068@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
Thanks for the more detailed explanation. However my point is that there is no traffic happening between my Active Directory Server and the MIT Kerberos Server. When I had set this up under Windows 2003 there was network traffic between these two servers. Right now no traffic is passing between the servers. I can connect between the AD and MIT Kerberos server using other protocols like RDP and SSH as well as ping both directions but Windows is never requesting a TGT from the MIT Kerberos Server (at least the network trace is never seeing this).
Any ideas on why the attempt is apparently not even being made?
Thanks
Bill
"Joseph T Corey" <jcorey@xxxxxxxxxxxxxx> wrote in message news:A9161596-D0D1-4F92-991C-AE89C1808673@xxxxxxxxxxxxxxxxThat's actually an incorrect representation of how Kerberos works in a cross-realm scenario. When setup correctly, the process is as follows after the user enters their login info (assuming they're logging in to KRB5DOMAIN.MYDOMAIN.COM):
1) Windows requests an initial TGT from the MIT realm (krbtgt/KRB5DOMAIN.MYDOMAIN.COM)
2) Windows then obtains a service ticket from the MIT realm (krbtgt/KRB5DOMAIN.MYDOMAIN.COM) with the forwarded and forwardable flags set
3) Windows then obtains a service ticket from the MIT realm for AD.MYDOMAIN.COM (krbtgt/AD.MYDOMAIN.COM) with just the forwardable flag set - no initial flag
4) With that TGT from the MIT realm, Windows is now able to obtain an LDAP service ticket from Active Directory (ldap/DC.AD.MYDOMAIN.COM)
The TGS from KRB5DOMAIN.MYDOMAIN.COM is used to obtain all further tickets for Active Directory services (i.e. HTTP, CIFS, etc)
The tickets are verified between domains because they're encrypted with the interdomain secret created by each trusting domain.
I'm not a Kerberos expert like some, but I'm fairly sure this is a pretty accurate representation of how this process works. Feel free to poke holes in any part.
--
Joseph T. Corey MCSE, Security+
Systems Administrator
http://joecorey.wordpress.com/
"William Holmes" <wtholmes@xxxxxxxxxxx> wrote in message news:%23Xx9RJbxIHA.4268@xxxxxxxxxxxxxxxxxxxxxxxHello,
I'm not sure that you statement is actually true with respect to the configuration I am setting up. I have setup a trust between an Active Directory Domain and a MIT Kerberos Domain. That being said:
I want to use the MIT Kerberos Domain to Authenticate a mapped Active Directory User.
That is:
myuser@xxxxxxxxxxxxxxxxxxxxxxx is mapped to a user named myuser in the Active Directory Domain.
Then the user logs on they user their password from KRB5DOMAIN.MYDOMAIN.COM and receives their TGT from the MIT Kerberos Domain. Those tickets are trusted by the Active Directory Domain (because I setup the trust) and the kerberos principle is mapped to an Active Directory User which again I have setup using the Security Identity Mapping in Active Directory Users And Computers.
When the Domain Controller receives the MIT credentials it should forward them to the MIT Kerberos Server and that is not happening. Again this is a Windows 2008 Active Directory Server set to Windows 2003 Functional Level
Bill
"Joseph T Corey" <jcorey@xxxxxxxxxxxxxx> wrote in message news:8168EFDE-187F-43EE-8CA5-E94D946784BF@xxxxxxxxxxxxxxxxThis would be by design. MIT KDCs and AD KDCs do not communicate directly.
Also, what is the scenario you're trying to accomplish? Are you using the MIT realm as an account domain, a resource domain, or some other scenario?
--
Joseph T. Corey MCSE, Security+
Systems Administrator
http://joecorey.wordpress.com/
"William Holmes" <wtholmes@xxxxxxxxxxx> wrote in message news:OuSHUSaxIHA.3680@xxxxxxxxxxxxxxxxxxxxxxxHello,
I am trying to setup a cross-realm trust from Windows 2008 to MIT Kerberos. I have setup the trust but when attempting to authenticate with the MIT realm I am not seeing any traffic between the Windows 2008 Domain Controller and the MIT Kerberos Server. The Windows 2008 AD is running at the 2003 Functional Level.
Any ideas on why the auth request is might not be going out. I am using the Network monitor to look at traffic between the two servers and nothing is going between them.
Thanks
Bill
.
- References:
- Windows 2008 Trust To MIT Kerberos Server
- From: William Holmes
- Re: Windows 2008 Trust To MIT Kerberos Server
- From: Joseph T Corey
- Re: Windows 2008 Trust To MIT Kerberos Server
- From: William Holmes
- Re: Windows 2008 Trust To MIT Kerberos Server
- From: Joseph T Corey
- Re: Windows 2008 Trust To MIT Kerberos Server
- From: William Holmes
- Windows 2008 Trust To MIT Kerberos Server
- Prev by Date: Re: Windows 2008 Trust To MIT Kerberos Server
- Next by Date: Re: Using dsmod
- Previous by thread: Re: Windows 2008 Trust To MIT Kerberos Server
- Next by thread: Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC
- Index(es):
Relevant Pages
|
