Inter-realm

Considering Trust Relationships

In simple terms, if Harry trusts Sally with his secrets, and Sally trusts Harry with her secrets, Harry and Sally have a two-way trust relationship between them.

Hierarchical Trust

In inter-realm authentication, hierarchical trust allows principals in one realm to access resources in another realm if there is a chain of trust established between the realms. The chain relies on a hierarchical realm naming scheme.

For example, IT.BAMBI.COM and DEER.JUNGLE.COM are child realms of their respective parent realms, BAMBI.COM and JUNGLE.COM. If both child realms have two-way trust with the parent realm, and the two parent realms have a direct trust link, then IT.BAMBI.COM and DEER.JUNGLE.COM can have hierarchical inter-realm trust between them.

To support hierarchical trust in Kerberos Servers, you must have a realm hierarchy, where each realm has a direct relationship with a parent and potentially several children.

Other Types Of Trust

You may choose to interoperate with other Kerberos implementations. HP’s Kerberos Server, Microsoft Windows 2000, and MIT Kerberos Servers provide Kerberos security solutions following the same IETF standard. HP’s Kerberos Server can interoperate with these other solutions, which allows you to selectively deploy the platforms you choose to meet the needs of your company.

Information on interoperability with Windows 2000 is provided in

Chapter 4, “Interoperability With Windows 2000,” on page 49.

246

Chapter 8