AD trust to Unix KDC with different DNS domain names - IE client spnego RRS feed

  • Question

  • User1499314753 posted

    Trying to get a Win7 Client in Domain1 to auth to Domain2 via cross realm trust/spengo.


    1. Domain1 - Win Server 2016 DC - PATRICA.COM
    2. Win 7 Client is joined to Domain 1 - viewing shares on the DC work fine. www.thomas.com is added to 'local network' in IE 10

    3. Domain2 - MIT Kerberos KDC - THOMAS.COM

    4. Apache WWW/Mod_auth_kerb - keytabs for HTTP/www.thomas.com@THOMAS.COM and other relevant forms.

    5. Unix/Ubuntu client

    All on 192.168.0.X - test network.

    Two-way transitive trust setup w/same password btw AD and MIT kerberos KDCs.

    NOTE: The unix client can make a kerberized connection OK to WWW.

    The windows client does not seem to lookup how to find THOMAS.COM. It looks up it's DNS name (www.thomas.com) and does get a 401 Negotiate back from the WWW server, but it tries NTLM, not kerberos. I know this b/c I don't see the "YII" auth token in the network trace.  I've tried running "ksetup /addkdc THOMAS.COM kdc.thomas.com" on both the windows client and the win 2016 DC. (do I need to do it on both?)

    I've setup_kerberos._udp.thomas.com. and_kerberos._tcp.thomas.com. SRV records to point to the MIT kdc.

    Can this work like this? If so how does the client figure out www.thomas.com is part of THOMAS.COM which is not part of AD?

    Sunday, June 3, 2018 7:47 PM

All replies