2 Replies Latest reply on May 2, 2013 11:42 AM by Sumesh P

    How to configure cross Domain Authentication utilizing Trust, in Bladelogic, without direct connectivity to the target kdc

      I have been trying to figure out how bladelogic needs to be configured, I didn’t find any resources that explains how to deal with my scenario.

      [I am trying Domain Authentication NOT Kerberos]

       

      Question:  How to enable cross Domain Authentication utilizing Trust, in Bladelogic, without direct connectivity to the target kdc

       

      Here is the scenario:

       

      DOMAIN1.SUBROOT1.ROOT.COM - Application installed in DOMAIN1

      DOMAIN2.SUBROOT2.ROOT.COM - User accounts are in DOMAIN2

       

      TRUST already in place:

      DOMAIN1 trusts SUBROOT2

       

      What already works: DOMAIN2\USER2 can login to computers in DOMAIN1 using Windows authentication.

      No additional configurations were made on either domains/DCs to accommodate Bladelogic, documentation also doesn’t ask for any special configurations.

       

       

      There is no direct network connection between DOMAIN1 and DOMAIN2, authentication happens via the trust.

      Windows authentication works but Application auth based on krb5 doesn't work.

       

       

      The krb5.conf if created per documentation (like below) would not work here as the App Server does not have a direct communication path to servers in DOMAIN2 i.e. it cannot directly query kdc2.DOMAIN2.SUBROOT2.ROOT.COM

      Krb5.conf

      [libdefaults]

                      ticket_lifetime = 6000

                      default_realm = DOMAIN1.SUBROOT1.ROOT.COM

       

      [realms]

      DOMAIN1.SUBROOT1.ROOT.COM = {

      Kdc = kdc1.DOMAIN1.SUBROOT1.ROOT.COM

      }

       

      DOMAIN2.SUBROOT2.ROOT.COM = {

      Kdc = kdc2.DOMAIN2.SUBROOT2.ROOT.COM

      }

       

       

      [domain_realm]

      .domain1.subroot1.root.com = DOMAIN1.SUBROOT1.ROOT.COM

      .domain2.subroot2.root.com = DOMAIN2.SUBROOT2.ROOT.COM

       

       

      So I tried modifying the krb5.conf as below based on some external documentation:

       

      Krb5.conf

      [libdefaults]

                      ticket_lifetime = 6000

                      default_realm = DOMAIN1.SUBROOT1.ROOT.COM

       

      [realms]

      DOMAIN1.SUBROOT1.ROOT.COM = {

      Kdc = kdc1.DOMAIN1.SUBROOT1.ROOT.COM

      }

       

      [domain_realm]

      .domain1.subroot1.root.com = DOMAIN1.SUBROOT1.ROOT.COM

      .domain2.subroot2.root.com = DOMAIN2.SUBROOT2.ROOT.COM

       

      [capaths]

      DOMAIN1.SUBROOT1.ROOT.COM = {

      DOMAIN1.SUBROOT1.ROOT.COM = .

      DOMAIN2.SUBROOT2.ROOT.COM = SUBROOT2.ROOT.COM

      SUBROOT2.ROOT.COM = DOMAIN1.SUBROOT1.ROOT.COM

      DOMAIN2.SUBROOT2.ROOT.COM = DOMAIN1.SUBROOT1.ROOT.COM

      }

       

      This also doesn’t work. I have also tried pointing DOMAIN2 realm section to the DOMAIN1 Kdc, that too fails.

       

      What additional configuration do I need for BL to be able to redirect the authentication requests through the trust that is already in place.

       

      Regards,

      Sumesh