Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
247 views

Kerberos - users and computers in different domains?


Hi All,

Currently planning a NAM deployment with a requirement for Desktop SSO
via Kerberos.

I can see a potential issue that our users and computers are currently
in different domains. The two domains are in the same forest and have a
bi directional trust between them.

Has anyone setup Kerberos in this scenario before?

My plan is going to be to start by configuring the Kerberos class to
point to the domain where the computers are located as this domain will
issue the tickets to machines. Then configure a user store/method that
points to the domain with the users in it.

Cheers,

Rowan.


--
rtruscot
------------------------------------------------------------------------
rtruscot's Profile: https://forums.netiq.com/member.php?userid=293
View this thread: https://forums.netiq.com/showthread.php?t=46249

0 Likes
3 Replies
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos - users and computers in different domains?

rtruscot wrote:

>
> Hi All,
>
> Currently planning a NAM deployment with a requirement for Desktop SSO
> via Kerberos.
>
> I can see a potential issue that our users and computers are currently
> in different domains. The two domains are in the same forest and have
> a bi directional trust between them.
>
> Has anyone setup Kerberos in this scenario before?
>
> My plan is going to be to start by configuring the Kerberos class to
> point to the domain where the computers are located as this domain
> will issue the tickets to machines. Then configure a user
> store/method that points to the domain with the users in it.


We've 'lab-ed' (or whatever the proper verb for it is) this but it got
removed from scope for prod but it did work perfectly fine in a lab.

Setup kerberos as you would for a single domain. Make sure this all
works.

Now create a similar service account (but with the domainname of the
2nd domain inside your forest) and use ktpass to generate a keytab.
With ktab (linux utility) you can merge the 2 keytab files into one.
Place in it in the location you configure in the bcsLogin.conf file and
you're done. The IDP will accept tickets from both domains.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos - users and computers in different domains?


Thanks for the info Edward.

Good to hear someone has made it work!

Cheers,

Rowan


--
rtruscot
------------------------------------------------------------------------
rtruscot's Profile: https://forums.netiq.com/member.php?userid=293
View this thread: https://forums.netiq.com/showthread.php?t=46249

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos - users and computers in different domains?

rtruscot wrote:

>
> Thanks for the info Edward.
>
> Good to hear someone has made it work!


Thats ok, let us know if you get stuck.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.