How Cross-Realm Setup Works
Figure 5 uses the example of accessing a service in the MIT KDC realm from a KDC realm.
Figure 6 Cross-realm setup working
The activity listed below uses the following terminology:
- eDirectory user : ediruser.novell
- User principal : edirprinc@novlrealm
- Service principal : host/mit.com@mitrealm
The background activity in a cross-realm setup is explained below:
- An eDirectory user authenticates to novlrealm as edirprinc@novlrealm.
- The application client requests a service ticket for the principal, host/mit.com@mitrealm from KDC Server (hosting novlrealm).
- The KDC Server sends a service ticket for the principal, krbtgt/mitrealm@novlrealm to the client.
- The client sends this cross-realm ticket to MIT KDC (hosting mitrealm) along with a request for a service ticket for the principal, host/mit.com@mitrealm.
- MIT KDC sends the service ticket for host/mit.com@mitrealm to the application client.
- The client sends this service ticket to the application server.