Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Cross realm between AD and MIT

166 views
Skip to first unread message

jm130794

unread,
Aug 24, 2011, 5:59:39 AM8/24/11
to kerb...@mit.edu
Hello

I installed a cross realm between my MIT and an AD. I can open a session on
my AD server with a principal defined in my MIT Kerberos (eg user1).

I added a Windows Seven to my Microsoft Domain. I can open a session on this
station with the Domain Administrator Domain without problem.

When I try to open a session with user1 (MIT principal), that doesn't
work...

Any idea ?

Thanks,

JM

jm130794

unread,
Aug 24, 2011, 8:05:28 AM8/24/11
to kerb...@mit.edu
I used wireshark to find why my connection fails. It seems that AD returns
the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the server and
not on the client!

Regards,


JM


2011/8/24 Ranjith Murugan <muru...@vmware.com>

> Me having the same issue. Still trying to find a way out of it. Let me
> know if you find the solution.
>
> Regards,
> Ranjith.

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

jm130794

unread,
Aug 24, 2011, 8:06:37 AM8/24/11
to kerb...@mit.edu
I used wireshark to find why my connection fails. It seems that AD returns
the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the server and
not on the client!

Regards,


JM

2011/8/24 jm130794 <jm13...@gmail.com>

Robert Wehn

unread,
Aug 24, 2011, 9:25:36 AM8/24/11
to kerb...@mit.edu
Hi JM

might be a dns error.
The Client (user) has to guess the realm to the service and often uses
dns (for example TXT records) or some registry entry (HostTorealm) to
determine the KRB REALM for the service (in this case the local login).

Try to wireshark what DNS request a win XP Machine does, when you try to
login using Cross Realm Trust
Do the same on the Windows 7 Machine.

When testing Cross-Realm trust several months ago I had the impression
MS changed something there, but i didn't really finish this.
Actually it doesn't read out TXT Records which worked fine for WinXP.

If you find out something, pleas tell me.

Robert.

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028

jm130794

unread,
Aug 24, 2011, 9:28:11 AM8/24/11
to kerb...@mit.edu
Hello,

That's works :)

I just removed the client from AD and add it again. I can now open a session
on my client with user1 (MIT Kerberos principal).

JM

2011/8/24 jm130794 <jm13...@gmail.com>

jm130794

unread,
Aug 26, 2011, 10:41:06 AM8/26/11
to Robert Wehn, kerb...@mit.edu
Hello,


I tried with another client and I have the same problem !

I can't open a session with user1 (MIT principal).

JM


2011/8/24 Robert Wehn <rober...@rz.uni-augsburg.de>

> Hi JM
>
> might be a dns error.
> The Client (user) has to guess the realm to the service and often uses
> dns (for example TXT records) or some registry entry (HostTorealm) to
> determine the KRB REALM for the service (in this case the local login).
>
> Try to wireshark what DNS request a win XP Machine does, when you try to
> login using Cross Realm Trust
> Do the same on the Windows 7 Machine.
>
> When testing Cross-Realm trust several months ago I had the impression
> MS changed something there, but i didn't really finish this.
> Actually it doesn't read out TXT Records which worked fine for WinXP.
>
> If you find out something, pleas tell me.
>
> Robert.
>
> Am 24.08.2011 14:06, schrieb jm130794:

> > I used wireshark to find why my connection fails. It seems that AD
> returns
> > the error KDC_ERR_WRONG_REALM. It's weird that I can connect to the
> server and
> > not on the client!
> >
> > Regards,
> >
> >
> > JM
> >
> > 2011/8/24 jm130794 <jm13...@gmail.com>
> >
> >> Hello
> >>
> >> I installed a cross realm between my MIT and an AD. I can open a session
> on
> >> my AD server with a principal defined in my MIT Kerberos (eg user1).
> >>
> >> I added a Windows Seven to my Microsoft Domain. I can open a session on
> >> this station with the Domain Administrator Domain without problem.
> >>
> >> When I try to open a session with user1 (MIT principal), that doesn't
> >> work...
> >>
> >> Any idea ?
> >>
> >> Thanks,
> >>
> >> JM
> >>
> >>

Wilper, Ross A

unread,
Aug 26, 2011, 11:22:28 AM8/26/11
to jm130794, Robert Wehn, kerb...@mit.edu
One thing that you did not make clear is if you defined the MIT kerberos realm in the registry of the Windows 7 machine.
(ksetup /AddKDC <realm> <kdc> or just go to HKLM\System\CurrentControlSet\LSA\Kerberos\Domains and make a key named the same as the realm and add a REG_MULTI_SZ value "KdcNames")

-Ross

-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On Behalf Of jm130794

jm130794

unread,
Aug 26, 2011, 2:14:39 PM8/26/11
to Wilper, Ross A, kerb...@mit.edu
Hello Ross,

With my first client, I added my computer in the Microsoft Domain. After
that, I could log in with my account MIT. I never change anything in the
registry.

Thanks,

JM

2011/8/26 Wilper, Ross A <rwi...@stanford.edu>

jm130794

unread,
Aug 27, 2011, 1:55:22 AM8/27/11
to Wilper, Ross A, kerb...@mit.edu
I found a solution (is it a good solution ?) :

- I add my client (W7) into my AD.MYREALM (Microsoft Domain)
- on the client, I do : ksetup /AddKdc MYREALM

As you see, I don't give the address of the MIT KDC. I can open a session
with a MIT KDC user.

If I do : ksetup /AddKdc MYREALM kdc1.myrealm, that does not work.

What do you think about it ?

Jean-Michel

2011/8/26 jm130794 <jm13...@gmail.com>

Robert Wehn

unread,
Aug 27, 2011, 11:24:22 AM8/27/11
to kerb...@mit.edu
Hello JM

If you don't do anything in the Registry then I'm quite sure there's a Group Policy which does the Job for you.

May be this doesn't work with Win7 anymore. Google for "GPO Kerberos win7", I think there were changes in the MS implementation of the settings.

Robert.

--
Robert Wehn
Hermanstraße 29
86150 Augsburg

rober...@googlemail.com
rob...@wehns.de

Robert Wehn

unread,
Aug 27, 2011, 11:33:46 AM8/27/11
to kerb...@mit.edu

Am 27.08.2011 um 07:55 schrieb jm130794 <jm13...@gmail.com>:

> I found a solution (is it a good solution ?) :
>
> - I add my client (W7) into my AD.MYREALM (Microsoft Domain)
> - on the client, I do : ksetup /AddKdc MYREALM

If this is the Realm if your MIT Kerberos Domain, then this is correct. This is what Ross told you and actually adds the Registry Settings he pointed out.
This can also be done centralized by a GPO if you don't want to touch every client.
>
> As you see, I don't give the address of the MIT KDC. I can open a session with a MIT KDC user.


>
> If I do : ksetup /AddKdc MYREALM kdc1.myrealm, that does not work

What is dns name of your kdc? If it's different then it cannot work.
If you have a kdc service record for the MYREALM Realm in your DNS then making no local kdc setting is often a good idea


>
> What do you think about it ?
>
> Jean-Michel
>

> 2011/8/26 jm130794 <jm13...@gmail.com>

0 new messages