Inter-realm

Hierarchical Inter-realm Trust

Hierarchical Inter-realm Trust

Hierarchical inter-realm authentication is used when one realm does not have a direct path to its destination realm, but has a path to an intermediate realms.

A Hierarchical Chain of Trust

Inter-realm trust can be transitive, for example if realm A trusts B and B trusts C, then a client in A can get a ticket from C by following the trust path from A to B to C.

For example, realm 1 could be X.Y.A and realm 2 could be X.Y.C, and realm 3 could be X.Y.B with the following direct trust relationships established between them.

Realm X.Y.A has a direct trust link to realm X.Y.B.

Realm X.Y.B has a direct trust link to realm X.Y.C.

In such a configuration, the client "walks" the realm tree from node X.Y.A to X.Y.C by requesting an inter-realm TGT from each intermediate realm, X.Y.B, until it obtains the service ticket from X.Y.C.

Although creating such hierarchical trusts is more efficient than attempting to configure each server with knowledge of all possible inter-realm trust relationships, the client must still perform the realm tree computation, map each realm to a security server hostname, and request an inter-realm TGT from each realm in the path.

In addition, the Kerberos protocol requires the client to know the exact realm of each service it wishes to authenticate to. In the last example, the client in X.Y.A must know that the service it wants to access belongs to realm X.Y.C.

Hierarchical Inter-realm Example

Let us assume that a client in the realm RED.BLUE.COM needs to authenticate to a service located in the realm GREEN.YELLOW.COM, but realm RED.BLUE.COM does not have a direct trust relationship established with the realm GREEN.YELLOW.COM.

252

Chapter 8