Interoperability With Windows 2000

Inter-Realm (Inter-Domain) Authentication

Inter-Realm (Inter-Domain) Authentication

When two distinct realms share common keys, the two realms are said to trust one another. With that trust in place, principals can securely access services in their native realm as well as those in the trusted realm. HP terms such access inter-realm authentication; Microsoft terms it inter-domain authentication or cross-realm authentication.

The following are examples of interoperability scenarios:

A Kerberos principal can authenticate to a Kerberos Server and access services registered in its native realm as well as trusted Windows 2000 domains.

A Kerberos principal can authenticate to a Windows 2000 domain controller and access services registered in its native domain as well as trusted foreign domains or realms.

A Windows 2000 principal can authenticate to a Kerberos Server and access services registered in its native realm as well as trusted foreign realms or domains.

A Windows 2000 principal can authenticate to a Windows 2000 KDC and access services registered in its native domain as well as trusted foreign domains or realms.

Inter-realm authentication relies on secure authentication between users and the KDC in a single realm. The shared inter-realm key between trusted KDCs provides the extra link to create a chain of trust that allows a principal in one realm to authenticate to a service in a trusted foreign realm.

58

Chapter 4