Managing Multiple Realms

Configuring Direct Trust Relationships

Configuring Direct Trust Relationships

If the Kerberos security servers manage all the realms in a multirealm environment, you must add interrealm principals to the principal databases for each realm.

Interrealm principals are special-case krbtgt/REALM1@REALM2 principal accounts, where krbtgt/REALM1 is the ticket-granting service principal for realm 1 and REALM2 is the foreign realm.

A direct trust relationship exists when the server that hosts Realm 1 directly trusts the server that hosts Realm 2.

The client system constructs the interrealm ticket request rather than the servers. Interrealm authentication begins when a user requests a service ticket for a service that is not in the default realm of the user.

The client software constructs the service ticket request, and sends it to the Kerberos server that supports the default realm of the user. Because the service is not in that realm, the Kerberos server cannot return a service ticket. However, if it has a direct trust link to the realm of the service, it can return an interrealm ticket for the realm of the service.

When the client receives the interrealm ticket, it sends the interrealm ticket with the service ticket request to the Kerberos server that supports the realm of the service.

When a foreign Kerberos server receives an interrealm ticket with a service ticket request, and if the interrealm ticket was obtained from a realm where a direct trust relationship exists, the foreign Kerberos server returns the service ticket. For this process to work on the server, the following conditions must be met:

The user principal must be able to authenticate in the default realm of the user.

You must establish a trust relationship between the default realm of the user and the realm of the service.

The Kerberos server returns a failure for any of the following reasons:

The client authentication fails.

Chapter 10

279

Page 279
Image 279
HP UX Kerberos Data Security Software manual Configuring Direct Trust Relationships