Kerberos cross-realm with AD

Douglas E. Engert deengert at
Mon Feb 7 15:45:24 EST 2011

On 2/6/2011 11:15 PM, Jean-Yves Avenard wrote:
> Hi there.
> Providing more information in the hope that someone will be able to help:
> This is the process I've followed.
> In Windows 2008 (MEL.DOMAIN.COM domain):
> Started Active Directory Domain and Trusts
> Right click on the domain name ->  Properties. Select Trusts ->  New Trusts
> Entered M.DOMAIN.COM ; made it two ways ; non-transitive ; typed the
> password. Validate..
> On MIT kdc machine (M.DOMAIN.COM realm)
> kadmin.local:
> kadmin.local:  ank +requires_preauth krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
> WARNING: no policy specified for krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM;
> defaulting to no policy
> Enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
> Re-enter password for principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM":
> Principal "krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM" created.
> kadmin.local:  ank +requires_preauth krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM
> WARNING: no policy specified for krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM;
> defaulting to no policy
> Enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
> Re-enter password for principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM":
> Principal "krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM" created.
> In the above, I used the same password (32 random characters) as I
> used in Windows 2008 server.
> Edited /etc/krb5.conf on the kdc as follow:
> [libdefaults]
>          default_realm = M.DOMAIN.COM
> [realms]
>          M.DOMAIN.COM = {
>                  admin_server =
>                  kdc =
>          }
>          MEL.DOMAIN.COM = {
>                  admin_server =
>                  kdc =
>          }
> [domain_realm]
> [capaths]
>          M.DOMAIN.COM = .
>      }
>      M.DOMAIN.COM = {
>           MEL.DOMAIN.COM = .
>      }
> ---
> On the web server using mod_auth_kerb:
> I set the /etc/krb5.conf as above...
> People with a M.DOMAIN.COM ticket, can connect fine as that's what it
> is configured for.
> On my PC ; I then got a ticket as jean-yves.avenard at MEL.DOMAIN.COM ;

Is you PC Windows? Is it in a domain? If so which domain.
Did you get the ticket using the Windows kerberos, or some other kerberos?

Is the browser IE or some other browser using non-windows Kerberos?

(Windows builtin Kerberos does not use the krb5.conf, and so does
cross realm a little differently.)

> and try to connect to the web server ; and it fails prompting me for a
> username/password (it's setup to accept any user with kerberos
> authtype)
> On the KDC; in the log I see:
> Feb 07 16:10:54 krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/ at M.DOMAIN.COM, Decrypt
> integrity check failed

This looks strange, as the should be in the
MEL.DOMAIN.COM realm and the client should not be sending a request
to the M.DOMAIN.COM realm.

But the Decrypt integrity check failed would also imply that it
found a key to use, but the decryption did not work. This may be
a salt issue. If you set up cross-realm to use RC4, it does not
use a salt and that might make take one factor out of the loop.

A wireshark trace run on the client could help see what is going on.

> Feb 07 16:10:54 krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/ at M.DOMAIN.COM, Decrypt
> integrity check failed
> Feb 07 16:10:54 krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/ at M.DOMAIN.COM, Decrypt
> integrity check failed
> Feb 07 16:10:54 krb5kdc[75](info): TGS_REQ (7 etypes {18
> 17 16 23 1 3 2}) PROCESS_TGS: authtime 0,<unknown
> client>  for HTTP/ at M.DOMAIN.COM, Decrypt
> integrity check failed
> Which lead me to believe that there's an incorrect password set
> somewhere... but which one ?
> I'm a tad puzzled about what's going on..
> If someone could shed some lights it would be greatly appreciated.
> Thank you
> Jean-Yves
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list