Managing Multiple Realms

Considering a Trust RelationshipConsidering a Trust Relationship

You can establish a multiple realm environment within your enterprise. Regardless of the reason, if principals in one realm need access to secured services supported in a different realm, you must establish a trust relationship between the realms.

When two distinct realms share secret keys, the two realms are said to trust each another. With that trust in place, principals can securely access services in their native realm as well as those in the trusted foreign realm.

Interrealm authentication begins with relying on a secure authentication between users and the security server in a single realm. The shared interrealm key between trusted servers provides the extra link to create a chain of trust that allows a principal in one realm to authenticate to a service in a trusted foreign realm. To establish a trust relationship, administrators for both realms must have a agreement.

You can configure your Kerberos servers for interrealm authentication based on one-way trust, two-way trust, or hierarchical trust.

One-Way Trust

In interrealm authentication, one-way trust authenticates principals in a realm (Q) to the services in another realm (S), but prevents principals in the realm S from accessing services in the realm Q.

In simple terms, if Harry trusts Sally with his secrets, but Sally does not trust Harry with her secrets, Harry and Sally have a one-way trust relationship between them.

Two-Way Trust

In interrealm authentication, two-way trust authenticates principals in a realm (Q) to the services in another realm (S), and principals in the realm S to the accessing services in the realm Q.

In simpler terms, if Harry trusts Sally with his secrets, and Sally trusts Harry with her secrets, Harry and Sally have a two-way trust relationship between them.

Chapter 10

277