HP UX Kerberos Data Security Software manual 250

Inter-realm

Configuring Direct Trust Relationships

Configuring Direct Trust Relationships

If the Kerberos Security Servers manage each and every realm in a multi-realm environment, you must add inter-realm principals to the principal databases for each realm.

Inter-realm principals are special-case krbtgt/REALM1@REALM2 principal accounts.

where:

krbtgt/REALM1 is the Ticket-Granting-Service principal for Realm 1

A direct trust relationship exists when the server that hosts Realm A directly trusts the server that hosts Realm B.

Inter-realm ticket requests are constructed by the client system rather than the servers. Inter-realm authentication begins when a user requests a service ticket for a service that is not in the user’s default realm.

The client software constructs the service ticket request, and sends it to the Kerberos Server that supports the user’s default realm. As the service is not in that realm, the Kerberos Server cannot return a service ticket. However, if it has a direct trust link to the service’s realm, it can return a inter-realm ticket for the service’s realm.

When the client receives the inter-realm ticket, it sends the inter-realm ticket with the service ticket request to the Kerberos Server that supports the service’s realm.

When a foreign Kerberos Server receives an inter-realm ticket with a service ticket request, and if the inter-realm ticket that was obtained from a realm where a direct trust relationship exists, the foreign Kerberos Server returns the service ticket.

For this process to work, on the server:

•The user principal must be able to authenticate in the user’s default realm.

•There must be a trust relationship established between the user’s default realm and the service’s realm.