Re: Windows 2003 SP1, cross-domain trust

[Björn Sandell <biorn@chalmers.se>]

On Thu, 29 Mar 2007 00:58:01 -0700 (PDT)
Chris Stromsoe <cbs@cts.ucla.edu> wrote:

> I'm trying to set up a cross-domain trust from a W2K3 SP1 AD domain 
> controller to a heimdal 0.7.2 KDC ("pass-thru authentication").
> 
> I can authenticate stand-alone workstations fine.  kerbtray shows all
> of the proper tickets showing up.
> 
> After setting up the trust on the DC, I get KDC_ERR_ETYPE_NOTSUPP on
> the DC when I try to authenticate with credentials from the heimdal
> realm.

I disabled everything but the des keys on the cross realm principal:

Principal: krbtgt/NETTST.CHALMERS.SE@TEST.CHALMERS.SE
Keytypes(salttype[(salt-value)]): des-cbc-md4(pw-salt), des-cbc-crc(pw-salt)

It's working for XP clients but not for w2k client; though I suspect
that the w2k clients can't handle pkinit.

-- 
Björn Sandell               Chalmers University of Technology
IT Services       www.chalmers.se/its      +46 (0)31 772 1000
No one ever says, 'I can't read that ASCII E-mail you sent me.'