8.2 Interoperability with the Microsoft KDC

To set up cross-realm authentication between novlrealm and w2kdomain:

  1. (Conditional) If a user object does not already exist for a user in Active Directory, create a user object.

    User creation is required in order to get tickets containing PAC (authorization data honored by application services in w2kdomain) from Microsoft Active Directory or KDC.

  2. Map the user’s principal in novlrealm to this user object:

    1. Click Start > Programs > Administrative Tools > Active Directory Users and Computers.

    2. Right-click the user object > Name Mappings.

    3. Click Kerberos Names > Add.

    4. Specify the user’s principal name.

  3. Set up a trust between w2kdomain and novlrealm:

    1. Click Start > Programs > Administrative Tools > Active Directory Domains and Trusts.

    2. Click win2kdomain > Properties > Trusts.

    3. Click Add in the Domains trusted by this domain section to display the Add Trusted Domain dialog box.

      Accessing Services in w2kdomain from novlrealm
    4. In the Add Trusted Domain dialog box, specify novlrealm as the trusted domain.

      Figure 8-1 Adding Trusted Domain

    5. Enter the password and re-enter it to confirm the password.

      IMPORTANT:Make sure that in both realms the password or key of krbtgt/w2kdomain@novlrealm is the same.

    6. Click OK to ignore the warning message about non-Windows Kerberos realms.

  4. In novlrealm, create a principal named krbtgt/w2kdomain@novlrealm.

  5. In the appropriate Kerberos configuration file (/etc/krb5.conf), create entries for novlrealm and mitrealm.