Inter-realm

Configuring Direct Trust Relationships

The Kerberos Server returns a failure for any of the following reasons:

If the client authentication fails.

It does not recognize the realm listed in the inter-realm ticket, that is, a proper trust relationship between the realms has not been established.

It does not recognize the requested service principal, and has no further trust relationships for which it returns an inter-realm ticket.

Direct Trust Relationship Example

To set up a cross-realm authentication between the two realms ADMIN.BAMBI.COM and IT.BAMBI.COM, we need to create two special principals on each KDC as shown below:

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM

krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM

The above special principal indicates a two-way trust relationship. If you want to configure only a one-way trust relationship, you need to create the following special principal:

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM

The passwords of the corresponding principals has to be the same on both the KDCs. But, the different cross-realm principals do not have to have matching passwords.

For example,

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM has to have the same password on each KDC, but

krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM and krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM do not have to share the same password.

Chapter 8

251