Managing Multiple Realms
Hierarchical Interrealm TrustHierarchical Interrealm TrustYou need to use hierarchical interrealm authentication when a realm does not have a direct path to its destination realm, but has a path to an intermediate realm.
Hierarchical Chain of TrustInterrealm trust can be transitive, for example, if realm A trusts B and B trusts C, then a client in A can get a ticket from C by following the trust path from A to B to C.
For example, consider realm 1 as X.Y.A , realm 2 as X.Y.C, and realm 3 as X.Y.B with the following direct trust relationships established between them.
•Realm X.Y.A has a direct trust link to realm X.Y.B.
•Realm X.Y.B has a direct trust link to realm X.Y.C.
In such a configuration, the client walks the realm tree from node X.Y.A to X.Y.C by requesting an interrealm TGT from each intermediate realm (in this example, X.Y.B), until it obtains the service ticket from X.Y.C.
Although creating such hierarchical trusts is more efficient than attempting to configure each server with knowledge of all possible interrealm trust relationships, the client must still perform the realm tree computation, map each realm to a security server host name, and request an interrealm TGT from each realm in the path.
In addition, the Kerberos protocol requires the client to know the exact realm of each service it needs to authenticate to. In the previous example, the client in X.Y.A must know that the service it wants to access belongs to realm X.Y.C.
Assume that a client in the realm RED.BLUE.COM needs to authenticate to a service located in the realm GREEN.YELLOW.COM, but realm RED.BLUE.COM does not have a direct trust relationship established with the realm GREEN.YELLOW.COM.
Now, VIBGYOR.INDIGO.COM has a direct trust relationship established with both RED.BLUE.COM and GREEN.YELLOW.COM. Hence, RED.BLUE.COM can obtain an interrealm ticket through the intermediate realm, VIBGYOR.INDIGO.COM. The client in RED.BLUE.COM requests an
Chapter 10 | 281 |