SPNEGO/Kerberos in IIS with foreign domain keytab

919 views Asked by At

I've got server with w2k8 and IIS7 in one domain and keytab from some other foreign domain (no trusts). Is it possible to enable Windows Authentification (SPNEGO/Kerberos) to auth users in Web Application from the those foreign domain?

1

There are 1 answers

4
Fred the Magic Wonder Dog On BEST ANSWER

It's theoretically possible, but the logistics of making it work are next to impossible to implement.

I've no idea if IIS supports this or not, but it is possible in the kerberos API to say "try to decrypt this response using every key in the keytab". In theory, this can be used with keys from remote realms, although I've never seen code attempt it.

However, the problem is the client needs to decide the realm and principal to use to make the request based on information outside the protocol. Thus you'd need to somehow tell all the web clients from the remote domain to use the remote domain when contacting the webserver in the w2k8 domain. You can do this with krb5.conf on unix machines, but it would require a custom krb5.conf on every client using identities from the remote realm.

In general, kerberos will only work across multiple realms if there is some kind of cross realm trust enabled.