Trying to get a Win7 Client in Domain1 to auth to Domain2 via cross realm trust/spengo.
Setup:
Domain1 - Win Server 2016 DC - PATRICA.COM
Win 7 Client is joined to Domain 1 - viewing shares on the DC work fine. www.thomas.com is added to 'local network' in IE 10
Domain2 - MIT Kerberos KDC - THOMAS.COM
Apache WWW/Mod_auth_kerb - keytabs for HTTP/www.thomas.com@THOMAS.COM and other relevant forms.
Unix/Ubuntu client
All on 192.168.0.X - test network.
Two-way transitive trust setup w/same password btw AD and MIT kerberos KDCs.
NOTE: The unix client can make a kerberized connection OK to WWW.
The windows client does not seem to lookup how to find THOMAS.COM. It looks up it's DNS name (www.thomas.com) and does get a 401 Negotiate back from the WWW server, but it tries NTLM, not kerberos. I know this b/c I don't see the "YII" auth token in the
network trace. I've tried running "ksetup /addkdc THOMAS.COM kdc.thomas.com" on both the windows client and the win 2016 DC. (do I need to do it on both?)
I've setup_kerberos._udp.thomas.com. and_kerberos._tcp.thomas.com. SRV records to point to the MIT kdc.
Can this work like this? If so how does the client figure out www.thomas.com is part of THOMAS.COM which is not part of AD?
According to your description, I think this issue is mainly related with the Active Directoy setting in the server, our forum is talking about the asp.net AD related issue.
I suggest you could try to post this issue on the technet MSDN AD forum.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
None
0 Points
1 Post
AD trust to Unix KDC with different DNS domain names - IE client spnego
Jun 03, 2018 07:47 PM|modulusmath|LINK
Trying to get a Win7 Client in Domain1 to auth to Domain2 via cross realm trust/spengo.
Setup:
Win 7 Client is joined to Domain 1 - viewing shares on the DC work fine. www.thomas.com is added to 'local network' in IE 10
Domain2 - MIT Kerberos KDC - THOMAS.COM
Apache WWW/Mod_auth_kerb - keytabs for HTTP/www.thomas.com@THOMAS.COM and other relevant forms.
All on 192.168.0.X - test network.
Two-way transitive trust setup w/same password btw AD and MIT kerberos KDCs.
NOTE: The unix client can make a kerberized connection OK to WWW.
The windows client does not seem to lookup how to find THOMAS.COM. It looks up it's DNS name (www.thomas.com) and does get a 401 Negotiate back from the WWW server, but it tries NTLM, not kerberos. I know this b/c I don't see the "YII" auth token in the network trace. I've tried running "ksetup /addkdc THOMAS.COM kdc.thomas.com" on both the windows client and the win 2016 DC. (do I need to do it on both?)
I've setup_kerberos._udp.thomas.com. and_kerberos._tcp.thomas.com. SRV records to point to the MIT kdc.
Can this work like this? If so how does the client figure out www.thomas.com is part of THOMAS.COM which is not part of AD?
Star
9831 Points
3120 Posts
Re: AD trust to Unix KDC with different DNS domain names - IE client spnego
Jun 05, 2018 05:51 AM|Brando ZWZ|LINK
Hi modulusmath,
Welcome to asp.net forum.
According to your description, I think this issue is mainly related with the Active Directoy setting in the server, our forum is talking about the asp.net AD related issue.
I suggest you could try to post this issue on the technet MSDN AD forum.
https://social.technet.microsoft.com/Forums/en-US/home?forum=ADFS&filter=alltypes&sort=lastpostdesc
Best Regards,
Brando