Wouter Verhelst writes:

> Now when I try to do cross-realm authentication from a Windows host, it
> does not seem to work. The steps I've taken include:
>
> - set up cross-realm authentication: I have a one-way "incoming" trust
> relationship in Windows, and created a
> "krbtgt/MIT-REALM@WINDOWS-REALM" principal in kadmin, with the same
> password (a 40-character random string that was copy-pasted in both
> cases). The trust is a "realm" trust, not a "domain trust", to account
> for the differences between Windows "Kerberos" and the actual
> protocol.


For what it's worth, Windows Kerberos is the actual protocol. Except for
some issues around PKINIT, which aren't really Microsoft's fault, and the
bugs that any implementation will have, Windows Kerberos follows the
protocol just like everyone else. The PAC is allowed for in the protocol.

Microsoft does deserve negative press for some things around how they
handled the PAC situation, but protocol compliance isn't one of them.
Microsoft Windows KDCs interoperate quite well with the rest of the
world.

> What's peculiar is that in the final two steps, the windows system
> doesn't even seem to request cross-realm kerberos tickets; it doesn't
> get a TGT, nor does it try to contact the MIT kerberos server.


I think you have a one-way trust going the wrong way for what you're
trying to do. You need an outgoing trust from Windows to MIT for the
Windows client to get cross-realm tickets with MIT.

Why not just set up full bidirectional trust? That's what we do and I can
confirm that once that trust is set up, what you're trying to do works
just fine; we do exactly the same thing for our central web authentication
system.

--
Russ Allbery (rra@stanford.edu)