1

I've got server with w2k8 and IIS7 in one domain and keytab from some other foreign domain (no trusts). Is it possible to enable Windows Authentification (SPNEGO/Kerberos) to auth users in Web Application from the those foreign domain?

Vladimir Kravets
  • 330
  • 6
  • 21

1 Answers1

0

It's theoretically possible, but the logistics of making it work are next to impossible to implement.

I've no idea if IIS supports this or not, but it is possible in the kerberos API to say "try to decrypt this response using every key in the keytab". In theory, this can be used with keys from remote realms, although I've never seen code attempt it.

However, the problem is the client needs to decide the realm and principal to use to make the request based on information outside the protocol. Thus you'd need to somehow tell all the web clients from the remote domain to use the remote domain when contacting the webserver in the w2k8 domain. You can do this with krb5.conf on unix machines, but it would require a custom krb5.conf on every client using identities from the remote realm.

In general, kerberos will only work across multiple realms if there is some kind of cross realm trust enabled.

Fred the Magic Wonder Dog
  • 8,889
  • 1
  • 26
  • 32
  • "Thus you'd need to somehow tell all the web clients from the remote domain to use the remote domain when contacting the webserver in the w2k8 domain." - I thought that this can be done with some manipulation of dns. Lets say - inside own domain of webserver (domainfoo) got dns record webserver.domainfoo.com, but users from other domain (domainbar) got dns record which allows them to see it as webserver.domainbar.com. – Vladimir Kravets Dec 02 '14 at 11:19
  • So I've generated keytab in domainbar for HTTP/webserver.domainbar.com, transfered keytab file to webserver and I need some way to get that web server to use it. – Vladimir Kravets Dec 02 '14 at 11:23
  • The dns trick generally won't work as kerberos libs canonicalize DNS names before creating the service principal. – Fred the Magic Wonder Dog Dec 03 '14 at 00:18
  • Not sure how it is implemented inside, but this trick works fine when I use WebSphere Application Server instead of Internet Information Services. – Vladimir Kravets Dec 03 '14 at 09:03