Access Domain that is using MIT Kerberos Integration

From: Joel D. Kraft (jdkraft2_at_nospam.nospam)
Date: 08/25/05 

Date: Wed, 24 Aug 2005 18:59:56 -0400

I am working with an active directory domain that has implemented
single sign-on by creating a realm trust between the organization's
active directory domain and an existing MIT Kerberos realm.

AD.COMPANY.COM <-trust- REALM.COMPANY.COM

All of the user accounts are mapped from the realm to AD user
accounts, and the actual user account passwords are unknown.
I would log into a domain computer, say server.company.com,
as the user me@REALM.COMPANY.COM with my Kerberos password.

This works all fine and dandy when everyone is in the AD. But
in a heterogeneous environment, this isn't quite as nice. The
problem occurs when you want to access a share like
\\server.company.com\myshare from a computer that is NOT a member
of the AD.COMPANY.COM domain.

Is this even possible? It seems that it *should* be, but it
is definitely not as easy as using me@REALM.COMPANY.COM or
me@AD.COMPANY.COM along with the Kerberos password when mapping
a drive. I have already used ksetup /addkdc and /addkpasswd
to let the client know about the location of the kerberos servers
for the realm.

Which ticket would be required to successfully authenticate? Is
there a way to actually obtain that ticket from within windows, so
that it can be seen by klist...even if it is an additional step?!?

And then lets go one step further. Let say that the client
machine trying to make the connection is in a different AD domain
without any current relationship to the AD.COMPANY.COM domain.
Would establishing an outoing realm trust between this second
AD domain and REALM.COMPANY.COM or an outgoing external trust
between it and AD.COMPANY.COM make the process easier?!

Any helpful insights or pointers to good documentation are greatly
appreciated!!!

Joel

Relevant Pages

  • Re: Accessing an AD domain that is using MIT Kerberos Integration?
    ... That computer that is not a member, is it a *nix machine by chance? ... > active directory domain and an existing MIT Kerberos realm. ... > All of the user accounts are mapped from the realm to AD user ... > as the user me@xxxxxxxxxxxxxxxxx with my Kerberos password. ...
    (microsoft.public.windows.server.active_directory)
  • Accessing an AD domain that is using MIT Kerberos Integration?
    ... active directory domain and an existing MIT Kerberos realm. ... All of the user accounts are mapped from the realm to AD user ... as the user me@xxxxxxxxxxxxxxxxx with my Kerberos password. ... Would establishing an outoing realm trust between this second ...
    (microsoft.public.windows.server.active_directory)