Re: Kerberos - Multi-domain SPN problem
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng [MSFT])
- Date: Thu, 17 Jul 2008 08:18:24 GMT
Thanks for your reply Ken.
Yes, currently what I got is the same solution as you mentioned. Also, this
issue is not quite IIS specific so that I involve some windows kerberos
engineers when discussing on this. Anyway, if there is any other
information on this, I'd be glad to post here.
Thanks again for your input here.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Kerberos - Multi-domain SPN problem
Date: Wed, 16 Jul 2008 19:31:50 +1000
Please
Stephen,
Were any other possible ways of getting this to work discussed? If so, I'm
curious to know what they are.
Are there any limitations/drawbacks to this approach that you are aware of?
Thanks
Cheers
Ken
"Steven Cheng [MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:8SEB5Xx5IHA.1624@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Mike,
I've also discussed with some other IIS engineers on this scenario, they
also think that Ken's suggestion is reasonable. You need to register
suffix
NotAnADDomain.com in forest ADDomain2.com, so forest ADDomain1.com can
route the ticket requests properly.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notiffeel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
==================================================
Get notification to my posts through email? Please refer to
ications.
--------------------
From: =?Utf-8?B?YmFrZQ==?= <mikeemail@xxxxxxxxxxxxx><uoBHdTJ4IHA.4272@xxxxxxxxxxxxxxxxxxxx>
References: <F78C0A55-1E3F-4EE4-B97F-41BF9C0DE89C@xxxxxxxxxxxxx>
<#WIfsaJ4IHA.4720@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Kerberos - Multi-domain SPN problem
Date: Tue, 8 Jul 2008 12:06:23 -0700
Thanks Ken, that's exactly what I was looking for. BTW, I have been atyour
site before, it was very informative, good job!in
Thanks,
Mike
"Ken Schaefer" wrote:
Also, I am going to cover UPN suffix routing for Cross Forest scenarios
i'llmy next IIS and Kerberos post, with more detailed instructions and some
discussion. The other posts are here: www.adopenstatic.com/faq
Cheers
Ken
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:uoBHdTJ4IHA.4272@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Add website.NotAnADDomain.com as an additional UPN for ADDomain2
In the Forest Trust properties, configure UPN suffix routing for
website.NotAnADDomain.com across the trust
Now the DCs in ADDomain1 know that they can refer clients to DCs in
ADDomain2 for a service ticket
Cheers
Ken
"bake" <mikeemail@xxxxxxxxxxxxx> wrote in message
news:F78C0A55-1E3F-4EE4-B97F-41BF9C0DE89C@xxxxxxxxxxxxxxxx
I have an interesting problem with Kerberos and our network setup,
(whichtry
to keep it simple.
Client user is ADDomain1.com/user.
IIS Web Site service account user is ADDomain2.com/serviceuser.
DNS alias points to web site via website.NotAnADDDomain.com.
ADDomain1.com and ADDomain2.com have 2 way full trusts.
The actual URL we want to use is http://website.NotAnADDomain.com
registeris
obviously not an AD domain, just domain setup via DNS). So we
found inthe
SPN as:
SetSPN -A HTTP\host1.NotAnADDomain.com ADDomain2.com/serviceuser
So when ADDomain1.com/user talks to ADDomain1.DC (KDC) to get the
kerberos
ticket, we get an KDC_ERR_S_PRINCIPAL_UNKNOWN error ("Server not
whenKerberos database")
I assume that is due to the HTTP\website.NotAnADDomain.com SPN; the
ADDomain1 DC/KDC does not even know to point the ADDomain1.user to
ADDomain2.KDC to get the kerberos ticket. Is that right?
Is there a mapping we can put in that would tell ADDomain1.KDC that
shouldit
gets a request for that SPN/host (website.NotAnADDomain.com), it
registrypoint
the client to the DC/KDC in ADDomain2 where the serviceuser account
exists?
Maybe something in the domain trusts, or perhaps the HostToRealm
otherkey (not much documentation on that)?
Thanks so much. I'll try to hold a day or 2 before cross posting in
security newsgroups.
.
- References:
- Re: Kerberos - Multi-domain SPN problem
- From: Ken Schaefer
- Re: Kerberos - Multi-domain SPN problem
- From: Ken Schaefer
- Re: Kerberos - Multi-domain SPN problem
- From: bake
- Re: Kerberos - Multi-domain SPN problem
- From: Steven Cheng [MSFT]
- Re: Kerberos - Multi-domain SPN problem
- From: Ken Schaefer
- Re: Kerberos - Multi-domain SPN problem
- Prev by Date: Re: creating multiple client certificates
- Next by Date: Re: URL encryption
- Previous by thread: Re: Kerberos - Multi-domain SPN problem
- Next by thread: Authentication dialog for XP users for private webs on Intranet
- Index(es):
Relevant Pages
|
