How Cross-Realm Setup Works

Figure 5 uses the example of accessing a service in the MIT KDC realm from a KDC realm.

Figure 6
Cross-realm setup working

The activity listed below uses the following terminology:

eDirectory user : ediruser.novell
User principal : edirprinc@novlrealm
Service principal : host/mit.com@mitrealm

The background activity in a cross-realm setup is explained below:

  1. An eDirectory user authenticates to novlrealm as edirprinc@novlrealm.
  2. The application client requests a service ticket for the principal, host/mit.com@mitrealm from KDC Server (hosting novlrealm).
  3. The KDC Server sends a service ticket for the principal, krbtgt/mitrealm@novlrealm to the client.
  4. The client sends this cross-realm ticket to MIT KDC (hosting mitrealm) along with a request for a service ticket for the principal, host/mit.com@mitrealm.
  5. MIT KDC sends the service ticket for host/mit.com@mitrealm to the application client.
  6. The client sends this service ticket to the application server.