Interrealm (Interdomain) Authentication

If two distinct realms share common keys, the realms trust one another. With that trust in place, principals can securely access services in their native realm as well as those in the trusted realm. HP calls such an access interrealm authentication, and Microsoft calls it inter-domain authentication or cross-realm authentication.

The following are examples of interrealm interoperability scenarios:

A Kerberos principal can authenticate to a Kerberos server with access services registered in its native realm and trusted Windows 2000 domains.
A Kerberos principal can authenticate to a Windows 2000 domain controller with access services registered in its native domain and in trusted foreign domains or realms.
A Windows 2000 principal can authenticate to a Kerberos server with access services registered in its native realm and in trusted foreign realms or domains.
A Windows 2000 principal can authenticate to a Windows 2000 KDC with access services registered in its native domain and in trusted foreign domains or realms.

Interrealm authentication relies on secure authentication between users and the KDC in a single realm. The shared interrealm key between trusted KDCs provides the extra link to create a chain of trust that allows a principal in one realm to authenticate to a service in a trusted foreign realm.

Interrealm (Interdomain) Authentication

Technical documentation

» Table of Contents

» Glossary

» Index