Gettings a Kerberos ticket for a remote realm RRS feed

  • Question

  • No idea if this is the right place for this, hopefully I can get some good answers.


    Question: Can a client in a un-trusted domain get a Kerberos ticket for another domain and use this to access multiple resourced without having to type username and password in repeatedly? 




    Domain A contains Server B and Server C.  SPN's regsitered for each https/FQDN. Only ports 80 and 443 open to internet.


    Windows XP Client in Domain X connects to Server B over internet using https/FQDN with Internet Explorer.  Enable Integrated Windows Authentication is checked.  Everything is OK until he/she moves to Server C and is required to end credentials again - this is a major pain for our customer.


    There is no trust between domain A and domain B and never will be.


    Is it possible to use Kerberos in this scenario?  I don't believe so as I can't for the life of me work out how the client is ever going to know where the KDC is in the Domain X without a referal from the KDC in his own domain A.  Port 88 is blocked to Domain X KDC but this can be opened if required.


    I have seen some sketchy articles on how to make a XP machines participate on non-windows Kerberos realms but I am not sure if this would work if the machine was part of a windows AD domain.




    Monday, June 9, 2008 7:53 PM

All replies

  • Hi Ian,

         Technet Forums sounds like the right place for your question.  I did not see Win 2003 topic, you could probably post in Win 2008 or XP topic.


         This is more of an Architecture forum, so it is hard to find someone that strikes the note on this topic here.




    Monday, June 9, 2008 9:47 PM