Inter-realm
Considering Trust Relationships
Considering Trust Relationships
You may establish a multiple realm environment within your enterprise. Regardless of the reason, if principals in one realm need access to secured services supported in a different realm, you must establish a trust relationship between the realms.
When two distinct realms share secret keys, the two realms are said to trust one another. With that trust in place, principals can securely access services in their native realm as well as those in the trusted foreign realm.
Inter-realm authentication begins with relying on secure authentication between users and the Security Server in a single realm. The shared inter-realm key between trusted servers provides the extra link to create a chain of trust that allows a principal in one realm to authenticate to a service in a trusted foreign realm. To establish a trust relationship, administrators for both realms must have a prior agreement.
You can configure your Kerberos Servers for inter-realm authentication based on either:
•one-way trust
•two-way trust
•hierarchical trust
One-way Trust
In inter-realm authentication, one-way trust authenticates principals in Realm Q to the services in Realm S, but prevents principals in Realm S from accessing services in Realm Q.
In simple terms, if Harry trusts Sally with his secrets, but Sally does not trust Harry with her secrets, Harry and Sally have a one-way trust relationship between them.
Two-way Trust
In inter-realm authentication, two-way trust authenticates principals in Realm Q to the services in Realm S, and principals in Realm S to the accessing services in Realm Q.