Last post Jun 05, 2018 05:51 AM by Brando ZWZ
Jun 03, 2018 07:47 PM|modulusmath|LINK
Trying to get a Win7 Client in Domain1 to auth to Domain2 via cross realm trust/spengo.
Win 7 Client is joined to Domain 1 - viewing shares on the DC work fine. www.thomas.com is added to 'local network' in IE 10
Domain2 - MIT Kerberos KDC - THOMAS.COM
Apache WWW/Mod_auth_kerb - keytabs for HTTP/www.thomas.com@THOMAS.COM and other relevant forms.
All on 192.168.0.X - test network.
Two-way transitive trust setup w/same password btw AD and MIT kerberos KDCs.
NOTE: The unix client can make a kerberized connection OK to WWW.
The windows client does not seem to lookup how to find THOMAS.COM. It looks up it's DNS name (www.thomas.com) and does get a 401 Negotiate back from the WWW server, but it tries NTLM, not kerberos. I know this b/c I don't see the "YII" auth token in the
network trace. I've tried running "ksetup /addkdc THOMAS.COM kdc.thomas.com" on both the windows client and the win 2016 DC. (do I need to do it on both?)
I've setup_kerberos._udp.thomas.com. and_kerberos._tcp.thomas.com. SRV records to point to the MIT kdc.
Can this work like this? If so how does the client figure out www.thomas.com is part of THOMAS.COM which is not part of AD?
Jun 05, 2018 05:51 AM|Brando ZWZ|LINK
Welcome to asp.net forum.
According to your description, I think this issue is mainly related with the Active Directoy setting in the server, our forum is talking about the asp.net AD related issue.
I suggest you could try to post this issue on the technet MSDN AD forum.