Novell Home

Establishing Cross-Realm Trust between Active Directory and Novell KDC

Novell Cool Solutions: AppNote
By Anil Kumar Sekhara, Ashish Kumar

Digg This - Slashdot This

Posted: 26 Sep 2007
 

Overview

This AppNote describes the process of logging in to a Windows XP member machine with Novell KDC credentials, using Interoperability between Novell KDC and Microsoft KDC (Active Directory).

Objective

The objective is to log in to a Windows machine that is part of an Active Directory Domain, using credentials of a user principal in a Novell KDC realm. Cross-realm trust is used between Active Directory and Novell KDC.

This AppNote will explain how to configure cross-realm trust between Active Directory and Novell KDC, so that any Novell KDC user should be able to log in into domain member machine of Active Directory.

Prerequisite

Novell KDC1.5 and Active Directory (with Windows 2003 Server) should be installed and be able to contact each other.

Establishing Cross-Realm Trust

A cross-realm trust is established between the Novell KDC realm and Active Directory so that Novell KDC users are authorized for access to resources inside of the Active Directory domain. Also, because users can log in to member machines of the Active Directory domain, they can access Windows services seamlessly.

Setup Process

The basic steps in the setup process are described below.

Step 1: Provide the Name and Location of the NKDC Server

The Windows XP machine should know the name and location of the NKDC server in order authenticate to NKDC (as the user belongs to NKDC realm). For this, information must be stored in the Windows registry. The ksetup utility is used, which comes with the Windows Support Tools available on the Windows CD.

1. Run the ksetup utility at the command prompt, as shown below:

ksetup.exe  /addkdc  NKDC_REALM_NAME   machineNameOfNovellKDC

An example run is shown in Figure 1.

Figure 1 - Adding an NKDC realm

Step 2: Reboot the Windows XP Machine

Reboot the Windows XP machine (a domain member) for the registry entries to take effect. Newly added Novell KDC information is inserted into the registry at ?HKEY_LOCAL_MACHINE\system\currentControlSet\Control\Lsa\Kerberos\Domains? as shown in Figure 2.

Figure 2 - Registry info for NKDC

Step 3: Establish Cross-Realm Trust between Active Directory and the Novell KDC Realm

Note: The password chosen for cross-realm trust must be same on both Active Directory (configured on Windows 2003 Server) and NKDC while creating cross-realm trust. This is the shared secret between Novell KDC and Active Directory.

NKDC Server Configuration

1. Add the following two krbtgt principals using kadmin.local with encryption type as des:normal

krbtgt/NKDC_REALM@AD-DOMAIN-NAME 
krbtgt/AD-DOMAIN-NAME@NKDC_REALM

Example:

st-nf-cli-185:/opt/novell/kerberos/sbin # kadmin.local
Authenticating as principal administrator/admin@CERT1.COM with password.

kadmin.local:  addprinc -e des:normal krbtgt/CERT1.COM@NKDC185.com
WARNING: no policy specified for krbtgt/CERT1.COM@NKDC185.com; defaulting to no policy
Enter password for principal "krbtgt/CERT1.COM@NKDC185.com":
Re-enter password for principal "krbtgt/CERT1.COM@NKDC185.com":
Principal "krbtgt/CERT1.COM@NKDC185.com" created.

kadmin.local:  addprinc -e des:normal krbtgt/NKDC185.com@CERT1.COM
WARNING: no policy specified for krbtgt/NKDC185.com@CERT1.COM; defaulting to no policy
Enter password for principal "krbtgt/NKDC185.com@CERT1.COM":
Re-enter password for principal "krbtgt/NKDC185.com@CERT1.COM":
Principal "krbtgt/NKDC185.com@CERT1.COM" created.

Win2K3 Server (AD) Configuration

1. Log in to Windows 2003 server, using an account that has Domain Administrator privileges.

2. Open Active Directory domain and trusts by clicking Start > Programs > Administrative Tools > Active Directory Domains and Trusts.

3. Right-click on Domain and select Properties.

4. Add the Novell KDC Realm to be trusted by Active Directory by clicking on Trusts and then New Trust, as shown in Figure 3.

Figure 3 - cert1.com Properties

Then complete the steps as shown in Figures 4-13 below.

Figure 4 - New Trust Wizard

Figure 5 - cert1.com Properties

Figure 6 - New Trust Wizard

Figure 7 - Trust Name

Figure 8 - Trust Type

Figure 9 - Direction of Trust

Note: While setting the password for the trusted domain under "Domains trusted by this domain" on the AD server, use the same password associated with the krbtgt/CERT1.COM @NKDC185.com principal created in NKDC, using kadmin.local.

Figure 10 - Trust Password

Figure 11 - Trust Selections Complete

Figure 12 - Completing the New Trust Wizard

Once the trusted domain is added, it should be displayed as shown in Figure 13.

Figure 13 - cert1.com Properties

Note: By default, the trust setup using the above method is transitive, which means that child domain members of Active Directory can also authenticate against Novell KDC. This trust can be marked as non-transitive in the Active Directory server using the netdom tool (available with the Microsoft Support Tools) as follows:

C:\Program Files\Support Tools> netdom  TRUST CERT1.COM  /Domain:NKDC185.com /Transitive:no

Step 4: Create a User Principal

Create a user principal that will be used to log in to the member machine of AD, using kadmin.local in the Novell KDC.

Example:

st-nf-cli-185:/etc/init.d # kadmin.local
Authenticating as principal
administrator/admin@CERT1.COM with password.

kadmin.local:  addprinc userinNKDC
WARNING: no policy specified for
userinNKDC@NKDC185.com; defaulting to no policy
Enter password for principal "userinNKDC@NKDC185.com":
Re-enter password for principal
"userinNKDC@NKDC185.com":
Principal "userinNKDC@NKDC185.com" created.

Step 5: Map an AD User to a Novell KDC User

Map an existing Active Directory user to a Novell KDC user principal created in Step 4, on the Active Directory server. This mapping provides an authentication relationship between the user in the Novell KDC realm and the user identity in Active Directory. You can do this through the Active Directory Users and Computers tool as follows:

1. Open the Active Directory Users and Computers tool (Start > Programs > Adminstrative Tools > Active Directory Users and Computers).

2. Ensure that the Advanced Features menu item is checked in the View menu, as shown in Figure 14.

Figure 14 - Selecting Advanced Features

3. Locate the Active Directory user account to which the Novell KDC user principal should be mapped.

4. Right-click the username and select the Name mapping tab.

5. Click Add.

6. Specify the name of the Novell KDC user principal.

7. Click OK.

Figure 15 - Security Identity Mapping

Step 6: Completing the Login Process

In the Windows XP domain member machine, the windows Login screen Novell KDC realm should be shown in the "Log on to" dropdown box.

1. Enter the User principal credentials of the Novell KDC realm.

2. Select the Novell KDC Realm.

3. Click on Login.

Authentication should be successful, and the user should be able to log in to the Windows XP machine using the Novell KDC user principal credentials.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell