Inter-realm

Hierarchical Inter-realm Trust

Now VIBGYOR.INDIGO.COM has a direct trust relationship established with both RED.BLUE.COM and GREEN.YELLOW.COM. Hence, RED.BLUE.COM can obtain an inter-realm ticket through the intermediate realm, VIBGYOR.INDIGO.COM. The client in RED.BLUE.COM requests for an inter-realm ticket from VIBGYOR.INDIGO.COM, and can then use this inter-realm ticket, that was obtained, to contact GREEN.YELLOW.COM for a ticket to use a service in its realm.

Hierarchical Inter-realm Configuration

To configure realms to perform hierarchical inter-realm authentication, the following steps are necessary in each realm - local realm, intermediate realm(s), and target realm.

Add an inter-realm principal (krbtgt/REALM2@REALM1) to the principal database to allow the local realm to authenticate with the intermediate realm and the intermediate realm to authenticate with another intermediate or the target realm.

If you also want the intermediate or target realm to authenticate with the local realm or another intermediate realm, two-way, you must add a second inter-realm principal (krbtgt/REALM1@REALM2) to the database

These actions are described in detail in the following sections. The example configuration in this section uses the inter-realm authentication principals shown in the figure below. The relationships are defined as follows:

krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM allows the server in BAMBI.COM to accept tickets from FINANCE.JUNGLE.COM

Chapter 8

253

Page 253
Image 253
HP UX Kerberos Data Security Software manual Hierarchical Inter-realm Configuration