Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing, Configuring and Administering the Kerberos Server on HP-UX 11i: HP 9000 Networking > Chapter 4 Administration

Setting up Cross-Realm Authentication
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Any Kerberos principal can authenticate to other principals within the same Kerberos realm. However, it is also possible to configure a Kerberos realm so principals in one realm can authenticate to principals in another realm. This is called cross-realm authentication.

To set up cross-realm authentication, the KDCs in the two realms share a special cross-realm principals, and these principals are used to prove the identity of principals when crossing the boundary between realms.

For example, to set up a cross-realm authentication between the two realms ADMIN.BAMBI.COM and IT.BAMBI. COM, we need to create two special principals on each KDC as shown below:

krbtgt/ADMIN.BAMBI.COM @IT.BAMBI.COM
krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM

The passwords of the corresponding principals has to be the same on both the KDCs. But, the different cross-realm principals do not have to have matching passwords.

For example,

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM has to have the same password on each KDC, but

krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM and krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM do not have to share the same password.

Also, note that the version number of password (vno) for the above special principals must match. If the password is re-set on of the KDCs then the cross-realm authentication will fail. You will need to change the password on both the KDCs simultaneously.

When clients want to authenticate to a server in another realm, they will use their current TGT to get a cross-realm TGT from the local KDC. They will then use that cross-realm TGT to request for service tickets from the foreign KDC.

Since each principal corresponds to different authentication paths, if you only want one-way cross-realm authentication you need to create only one of the cross-realm principals.

Following is a graphical representation of a cross- realm authenticaton for the realms ADMIN.BAMBI.COM and IT.BAMBI.COM.

Figure 4-1 Structure of a Cross-Realm Authentication

Structure of a Cross-Realm Authentication

A sample krb5.conf to configure cross-realm authentication is as given below: 

[libdefaults]
default_realm = ADMIN.BAMBI.COM
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2
[realms]
     ADMIN.BAMBI.COM = {
        kdc = deer.admin.bambi.com:88
        admin_server = deer.admin.bambi.com:749
        }
     IT.BAMBI.COM = {
        kdc = fox.it.bambi.com:88
        admin_server = fox.it.bambi.com:749
         }
[domain_realm]
   .admin.bambi.com = ADMIN.BAMBI.COM
   .it.bambi.com = IT.BAMBI.COM
 
[capaths]
   ADMIN.BAMBI.COM = {
        IT.BAMBI.COM = .
   }
   
   IT.BAMBICOM = {
        ADMIN.BAMBI.COM = .
   }
 
[logging]
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmin.log
   default = FILE:/var/log/krb5lib.log


Keytabs
  		 


Database Administration  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.