8.3 How Cross-Realm Setup Works
Figure 5 uses the example of accessing a service in the MIT KDC realm from a Novell KDC realm.
Figure 8-2 Cross-realm Setup
The activity listed below uses the following terminology:
- eDirectory user :ediruser.novell
- User principal :edirprinc@novlrealm
- Service principal : host/mit.com@mitrealm
The background activity in a cross-realm setup is explained below:
-
An eDirectory™ user authenticates to novlrealm as edirprinc@novlrealm.
-
The application client requests a service ticket for the principal, host/mit.com@mitrealm, from KDC server hosting novlrealm.
-
The KDC server sends a service ticket for the principal, krbtgt/mitrealm@novlrealm, to the client.
-
The client sends this cross-realm ticket to MIT KDC hosting mitrealm, along with a request for a service ticket for the principal, host/mit.com@mitrealm.
-
MIT KDC sends the service ticket for host/mit.com@mitrealm to the application client.
-
The client sends this service ticket to the application server.