Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Domain setup:
Both Child1 and Child2 are in the same forest with the same parent ___domain R2dom.local.
Administrator of the Child ___domain (CHILD1) login to a member server (CH1-Mem) in CHILD1 ___domain.
After login in the user tries to access \\r2dom-ch2-Mem1 . R2dom-ch2-Mem1 is a member server in Child2 ___domain.
--> I have used Network monitor to analyze and understand how Kerberos authentication would work, when accessing resource across ___domain.
Below you see that the Administrator is getting the required Kerberos tickets when accessing resources across ___domain.
10.2.1.2 = DC of CHILD1.R2DOM.LOCAL
10.1.1.2 = DC of R2DOM.LOCAL
10.3.1.1 = Dc of CHILD2.R2DOM.LOCAL
10.10.10.1 = CH1-Mem in CHILD1
10.10.10.1 10.2.1.2 KerberosV5:TGS Request Realm: CHILD1.R2DOM.LOCAL Sname : cifs/r2dom-ch2-Mem1
--> KrbApReq : KRB_AP_REQ (14)
Ticket: Realm: CHILD1.R2DOM.LOCAL, Sname: krbtgt/CHILD1.R2DOM.LOCAL
** Here you see a Kerberos TGS request being sent to the local ___domain (CHILD1.R2DOM.LOCAL) DCs for a SPN cifs/r2dom-ch2-Mem1. Local ___domain TGT sent in the TGS request.
10.2.1.2 10.10.10.1 KerberosV5:TGS Response Cname: Administrator
--> Ticket: Realm: CHILD1.R2DOM.LOCAL, Sname:krbtgt/R2DOM.LOCAL
** Here the local ___domain DC returns a TGT of the Parent ___domain R2DOM.LOCAL. This is like a referral being sent to the client as the local ___domain does not have the right to issue a Kerberos Ticket for cifs/r2dom-ch2-Mem1.
10.10.10.1 10.1.1.2 KerberosV5:TGS Request Realm: R2DOM.LOCAL Sname: krbtgt/CHILD2.R2DOM.LOCAL
--> KrbApReq : KRB_AP_REQ (14)
Ticket: Realm: CHILD1.R2DOM.LOCAL, Sname : krbtgt/R2DOM.LOCAL
** Now the client machine send a TGS request to the Parent ___domain R2DOM.LOCAL, requesting for a TGT of another of its Child ___domain where the cifs/r2dom-ch2-Mem1 resides. When sending this request to the parent ___domain, the client uses the TGT of the Parent ___domain received in the earlier referral from local DC.
10.1.1.2 10.10.10.1 KerberosV5:TGS Response Cname: Administrator
--> Ticket: Realm: R2DOM.LOCAL, Sname: krbtgt/CHILD2.R2DOM.LOCAL
**Parent ___domain sends the TGT of the child2 ___domain to the client. This can also be taken as a referral to the CHILD2 ___domain.
10.10.10.1 10.3.1.1 KerberosV5 :TGS Request Realm: CHILD2.R2DOM.LOCAL Sname : cifs/r2dom-ch2-Mem1
-->KrbApReq: KRB_AP_REQ (14)
Ticket: Realm: R2DOM.LOCAL, Sname: krbtgt/CHILD2.R2DOM.LOCAL
** Eventually the Child sends a TGS request for the SPN cifs/r2dom-ch2-Mem1 to the DCs in ___domain CHILD2.R2DOM.LOCAL who is authorized to issue a ticket for the server (r2dom-ch2-Mem1) in its ___domain. This time the client uses the CHILD2 domains TGT to make request.
10.3.1.1 10.10.10.1 KerberosV5:TGS Response Cname: Administrator
--> Ticket: Realm: CHILD2.R2DOM.LOCAL, Sname: cifs/r2dom-ch2-Mem1
** Finally the client gets the Kerberos Ticket for cifs/r2dom-ch2-Mem1, which will help the Administrator user access the shares on r2dom-ch2-Mem1 in ___domain CHILD2.R2DOM.LOCAL.
The workstation the user 'Administrator" is using to access the resource across ___domain, also needs a similar ticket.
Tickets for r2dom-ch2-Mem1 is requested from local ___domain, who returns the error KDC_ERR_S_PRINCIPAL_UNKNOWN, as the r2dom-ch2-Mem1 computer is not a part of the local ___domain (CHILD1.R2DOM.LOCAL)
10.10.10.1 10.2.1.2 KerberosV5 KerberosV5:TGS Request Realm: CHILD1.R2DOM.LOCAL Sname: r2dom-ch2-Mem1
10.2.1.2 10.10.10.1 KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Below you see that the client computer is getting the required Kerberos tickets when accessing resources across ___domain.
10.10.10.1 10.2.1.2 KerberosV5 KerberosV5:TGS Request Realm: CHILD1.R2DOM.LOCAL Sname: cifs/r2dom-ch2-Mem1
10.2.1.2 10.10.10.1 KerberosV5 KerberosV5:TGS Response Cname: CH1-Mem$
10.10.10.1 10.1.1.2 KerberosV5 KerberosV5:TGS Request Realm: R2DOM.LOCAL Sname: krbtgt/CHILD2.R2DOM.LOCAL
10.1.1.2 10.10.10.1 KerberosV5 KerberosV5:TGS Response Cname: CH1-Mem$
10.10.10.1 10.3.1.1 KerberosV5 KerberosV5:TGS Request Realm: CHILD2.R2DOM.LOCAL Sname: cifs/r2dom-ch2-Mem1
10.3.1.1 10.10.10.1 KerberosV5 KerberosV5:TGS Response Cname: CH1-Mem$
- Abizer
Comments
Anonymous
January 01, 2003
Hey could you guys post something simliar Over a Forest or External Trust?Anonymous
January 01, 2003
Thank you Abizer !