1

We have a setup with an IIS and a SQL server and have implemented Kerberos to use SQL Sercurity directly.

We have a AD forest: Internal.local and the setup works fine there.

Now the customer wants external access through external.com and of course we cannot use the current setup for kerberos. Internally we can access internal.local - get a kerberos ticket - access the external.com and continue using that ticket.

But is there a solution to get the kerberos to work for the external.com access?

I guess we have to trust the two somehow??

Burrhus
  • 113
  • 3

1 Answers1

0

You can set up cross-realm between any two realms. All you need to do is install the shared keys in both realms.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-kerberos-crossrealm.html

Doing this with AD is a bit trickier, as AD is generally setup to allow both authentication and authorization. This is a good slide deck about the issues invovled

http://www.kerberos.org/events/2010conf/2010slides/2010kerberos_dmitry_pal.pdf

However, cross-realm generally does a lot less than people initially assume. Cross-realm in its most basic form only allows your realm to authenticate user@REMOTE.COM. Each application then has to figure out what user@REMOTE.COM is allowed to do ( authorization ). Generally this means mapping the remote kerberos principal to some local account name that makes sense to your application.

Fred the Magic Wonder Dog
  • 2,035
  • 10
  • 17