Accessing Services in w2kdomain from novlrealm

To set up cross-realm authentication between novlrealm and w2kdomain:

1. (Conditional) If a user object does not already exist for a user in Active Directory, then create a user object

   User creation is required in order to get tickets containing PAC (authorization data honored by application services in w2kdomain) from Microsoft Active Directory or KDC.

2. Map the user's principal in novlrealm to this user object:

   1. Click Start > Programs > Administrative Tools > Active Directory Users and Computers.

   2. Right-click the user object > Name Mappings.

   3. Click Kerberos Names tab > Add.

   4. Enter the user's principal name.

3. Set up a trust between w2kdomain and novlrealm:

   1. Click Start > Programs > Administrative Tools > Active Directory Domains and Trusts

   2. Click win2kdomain > Properties > Trusts

   3. Click Add in the Domains trusted by this domain pane (as in figure 3) to display the Add Trusted dialog box.

      Figure 4
      Accessing Services in w2kdomain from novlrealm
      

   4. In the Add Trusted Domain dialog box, enter novlrealm as the trusted domain.

      Figure 5
      Adding Trusted Domain
      

   5. Enter the password and reenter it to confirm the password.

      IMPORTANT:  Make sure that in both realms the password or key of
      krbtgt/w2kdomain@novlrealm is the same.

   6. Click OK to ignore the warning message about non-Windows Kerberos realm.

4. In novlrealm, create a principal, krbtgt/w2kdomain@novlrealm.

5. In the appropriate Kerberos configuration file (/etc/krb5.conf), create entries for novlrealm and mitrealm.