Kerberos Authentication against Multiple Domains


The document describes accessing resources across forests using NetIQ Access Manager – Kerberos Authentication.


  1. Kerberos cross realm trust need to be enabled for both the domains

  • Make sure that the Kerberos service user account you have set up does not have “Use DES encryption types for this account” selected. If it is already selected, then you must unchecked it and reset the password. It is not possible for the same SPN/service user account to support both DES and RC4-HMAC security. It must be one or the other.

  • Make sure that the Kerberos service user account password is matching on both domains (PRIMARY.COM and OTHER.COM)

Generating keytab files:

ktpass /out PRIMARY.keytab /princ HTTP/ /mapuser nm093secidp01@PRIMARY.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

ktpass /out OTHER.keytab /princ HTTP/ /mapuser nm093secidp01@OTHER.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

Merging Key tab files:

If you have multiple keytab files that need to be in one place, you can merge the keys with the ktutil command.



Make sure configuration you do in bcsLogin.conf is required by the service to read the merged keytab information.


User Stores:

Add both the user stores (PRIMARY.COM and OTHER.COM) in the IDP cluster.


UPN Suffix:

UPN presented in the ticket to search for the user, and that the UPN suffix list would configure to accept different UPN suffixes.


Enter only the second domain in the UPN Suffixes, in our case it’s and add both the user stores in Kerberos Methods.

Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft:



How To-Best Practice
Comment List
Parents Comment Children
No Data