To set up cross-realm authentication between novlrealm and w2kdomain:
(Conditional) If a user object does not already exist for a user in Active Directory, create a user object.
User creation is required in order to get tickets containing PAC (authorization data honored by application services in w2kdomain) from Microsoft Active Directory or KDC.
Map the user’s principal in novlrealm to this user object:
Click
> > > and .Right-click the user object >
.Click
> .Specify the user’s principal name.
Set up a trust between w2kdomain and novlrealm:
Click
> > > .Click
> > .Click
in the section to display the dialog box.In the
dialog box, specify novlrealm as the trusted domain.Figure 8-1 Adding Trusted Domain
Enter the password and re-enter it to confirm the password.
IMPORTANT:Make sure that in both realms the password or key of krbtgt/w2kdomain@novlrealm is the same.
Click
to ignore the warning message about non-Windows Kerberos realms.In novlrealm, create a principal named krbtgt/w2kdomain@novlrealm.
In the appropriate Kerberos configuration file (/etc/krb5.conf), create entries for novlrealm and mitrealm.