Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Inter-realm
Configuring Direct Trust Relationships
Chapter 8250
Configuring Direct Trust Relationships
If the Kerberos Security Servers manage each and every realm in a
multi-realm environment, you must add inter-realm principals to the
principal databases for each realm.
Inter-realm principals are special-case krbtgt/REALM1@REALM2 principal
accounts.
where:
krbtgt/REALM1 is the Ticket-Granting-Service principal for Realm 1
REALM2 is the foreign realm
A direct trust relationship exists when the server that hosts Realm A
directly trusts the server that hosts Realm B.
Inter-realm ticket requests are constructed by the client system rather
than the servers. Inter-realm authentication begins when a user
requests a service ticket for a service that is not in the user’s default
realm.
The client software constructs the service ticket request, and sends it to
the Kerberos Server that supports the user’s default realm. As the
service is not in that realm, the Kerberos Server cannot return a service
ticket. However, if it has a direct trust link to the service’s realm, it can
return a inter-realm ticket for the service’s realm.
When the client receives the inter-realm ticket, it sends the inter-realm
ticket with the service ticket request to the Kerberos Server that
supports the service’s realm.
When a foreign Kerberos Server receives an inter-realm ticket with a
service ticket request, and if the inter-realm ticket that was obtained
from a realm where a direct trust relationship exists, the foreign
Kerberos Server returns the service ticket.
For this process to work, on the server:
• The user principal must be able to authenticate in the user’s default
realm.
• There must be a trust relationship established between the user’s
default realm and the service’s realm.