[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can Heimdal KDC issue cross-realm referral ?


    as I recall the [libdefaults] section should contain 
win2k_compatible = yes, and some encryption types should not be used (I 
used des_cbc_crc and des_cbc_md5).
I've managed to authenticate via a Win2K client to a Heimdal realm and 
then to a Win2K server, but I think the client asked for a cross-realm 
TGT first from the
HEimdal KDC and then asked the Win2K KDC to give the right service 
ticket to her. Have you set the correct realms and KDC-s in the Win2K 
machine with


>In section 4.7 Referrals of Heimdal and Windows 2000 Kerberos --how to get them to play together paper, it is stated:
>"We have added functionality for referrals to the HeimdalKDC that is sufficient for Windows clients"
>What configurations need to be done on a Heimdal KDC to provide the support ?
>I need a cross-realm referral support in the following scenario:
>a win2k client authenticates to a heimdal kdc. The client then wants to access a computer in another realm (a win2k domain). Hence the win2k client sends a TGS_REQ to heimdal kdc with target name of the service in its own realm (I've just known that microsoft changed the mechanism !). Hence the client makes an assumption that the service is in its own realm until the KDC replies with a TGS_REP telling him that the service is in fact in another realm (hence giving a cross-realm referral).
>La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                        - Guy de Maupassant -
>Do you Yahoo!?
>Yahoo! Finance Tax Center - File online. File on time.