Re: AW: Proof of authenticity of TGT

From: deengert@xxxxxxx ("Douglas E. Engert")
Date: Wed, 23 Aug 2006 10:23:52 -0500

Ken Raeburn wrote:

On Aug 23, 2006, at 3:43, Olfmatic wrote:

I understand your warnings. But it is not possible to add the
service to the realm, because it is running on a host that is not
in the same windows domain and not in the same kerberos realm.

Not true at least for Unix hosts. A service is "in a realm"
be virtue of possessing the key of a service principal registered
in the realm. The same service could accept tickets issued by
multiple independent realms, if it had entries in its keytab
for the principals.

Now if the service is running on window, and you are using the Windows
Kerberos it might not be true, because windows does more then Kerberos
authentication.

To

be more precise, it is not running in a kerberos realm at all and
thus is not really a kerberos service.

Then why are you trying to use Kerberos?

Ken
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

References:
- AW: Proof of authenticity of TGT
  - From: "Olfmatic"
- Re: AW: Proof of authenticity of TGT
  - From: Ken Raeburn

Prev by Date: Re: AW: AW: Using a Kerberized application outside the Kerberos Realm
Next by Date: Kerberos for Windows is Spyware according to CounterSpy
Previous by thread: Re: AW: Proof of authenticity of TGT
Next by thread: Re: gss-client error
Index(es):
- Date
- Thread

Relevant Pages

Re: Kerberos v5
... SM> all platforms will authenticate to Active Directory via Kerberos. ... SM> facilitate authentication from our Unix, ... You can create a separate realm for the Unix machines with realm trust to ... because Windows does not use the traditional mechanisms to determine the ...
(comp.protocols.kerberos)
Re: AD using an external Kerberos realm
... a colleague of mine sent a message to the Windows ... AD realm, a Heimdal realm, cross-realm trust at least of Heimdal by AD, ... JE> gotchas that those of us who support Kerberos or the Windows ...
(comp.protocols.kerberos)
Re: cross-realm authentication problem
... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, self-compiled mod_auth_kerb 5.4. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
(comp.protocols.kerberos)
Re: Cross Realm MIT <-> Active Directory
... Now why can't user XYZ@xxxxxxxx login successfully with his Windows ... I meant on the Unix box, not on the Windows box, so sorry on that. ... user xyz can login to your Unix machine. ... Host and service principals are defined in MIT Kerberos (realm ...
(comp.protocols.kerberos)
Re: Kerberos authentication NOT in AD
... Windows supports Unix Kerberos realms natively. ... realm user, but it's pretty easy to script such a thing or get fancy and use ... from the folks that manage the Kerberos realm, ... so I'm not doing any authentication as of yet (I've ...
(microsoft.public.dotnet.security)