Reset Search
 

 

Article

KB21431 - Kerberos SSO and authentication for resource in Inter-child domain does not work

« Go Back

Information

 
Last Modified Date8/2/2015 12:11 PM
Synopsis
This article describes the issue of the failure of Kerberos SSO and authentication for resource to work in an Inter-child domain.

 
Problem or Goal
Referral TGT is not supported; only Cross -Realm TGT is supported.
Cause
Solution
In a inter-child domain environment:
ABC.COM
|
|- XX. ABC.COM

|- YY. ABC.COM

|- ZZ. ABC.COM


When the PCS device tries to fetch the cross-realm TGT, the TGS-REQ is correct; but the backend responds with a referral TGT to realm abc.com, instead of cross-realm TGT for realm YY.ABC.COM in TGS-REP.

The backend server sends a valid ticket and it then expects the PCS device to use that ticket to try the next level of trust. The PCS device does not store the referral TGTs and it does not have implementation to go up to the next level of trust path to fetch TGTs.

There is a limitation to support referral TGT, due to the following reason:

“PCS does not store the referral TGTs and hence it does not have implementation to go up to the next level of trust to fetch TGTs."

PCS currently support Cross realm TGT, if a direct trust between the Client KDC and the server KDC (two-way direct trust relationship between domains) exists.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255