Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Interoperability With Windows 2000
Inter-Realm (Inter-Domain) Authentication
Chapter 458
Inter-Realm (Inter-Domain) Authentication
When two distinct realms share common keys, the two realms are said to
trust one another. With that trust in place, principals can securely access
services in their native realm as well as those in the trusted realm. HP
terms such access inter-realm authentication; Microsoft terms it
inter-domain authentication or cross-realm authentication.
The following are examples of interoperability scenarios:
• A Kerberos principal can authenticate to a Kerberos Server and
access services registered in its native realm as well as trusted
Windows 2000 domains.
• A Kerberos principal can authenticate to a Windows 2000 domain
controller and access services registered in its native domain as well
as trusted foreign domains or realms.
• A Windows 2000 principal can authenticate to a Kerberos Server and
access services registered in its native realm as well as trusted
foreign realms or domains.
• A Windows 2000 principal can authenticate to a Windows 2000 KDC
and access services registered in its native domain as well as trusted
foreign domains or realms.
Inter-realm authentication relies on secure authentication between
users and the KDC in a single realm. The shared inter-realm key
between trusted KDCs provides the extra link to create a chain of trust
that allows a principal in one realm to authenticate to a service in a
trusted foreign realm.