How Cross-Realm Setup Works

Figure 5 uses the example of accessing a service in the MIT KDC realm from a KDC realm.

Figure 6
Cross-realm setup working

The activity listed below uses the following terminology:

eDirectory user : ediruser.novell

User principal : edirprinc@novlrealm

Service principal : host/mit.com@mitrealm

The background activity in a cross-realm setup is explained below:

1. An eDirectory user authenticates to novlrealm as edirprinc@novlrealm.
2. The application client requests a service ticket for the principal, host/mit.com@mitrealm from KDC Server (hosting novlrealm).
3. The KDC Server sends a service ticket for the principal, krbtgt/mitrealm@novlrealm to the client.
4. The client sends this cross-realm ticket to MIT KDC (hosting mitrealm) along with a request for a service ticket for the principal, host/mit.com@mitrealm.
5. MIT KDC sends the service ticket for host/mit.com@mitrealm to the application client.
6. The client sends this service ticket to the application server.