I have 2 domains in Active Directory: domain A and domain B. There is a bidirectional trust set up between those domains. Domain A has a user A, domain B has a user B. Additionally domain A has a domain local security group called group A. User B is a member of group A.
What I want to achieve is to authenticate both users in domain A. So far I had no problems with authenticating user A in domain A and user B in domain B. Now I need to authenticate user B in domain A.
Is this doable in Java/Spring tech stack? My first try was with ActiveDirectoryLdapAuthenticationProvider from Spring Security, but then I checked that it uses simple ldap bind request, so I guess this is not doable with this provider.
Next I tried to use Kerberos (Spring Security Kerberos module), but again: I can authenticate user A in domain A and user B in domain B. No success when trying to authenticate user B in domain A. When I read some topics regarding cross-realm authentication in Kerberos, I can see solutions with two realms (each has its own KDC specified). This will work in a way that user B will be authenticated in domain B, which I want to avoid.
My krb5.conf:
[libdefaults]
default_realm = DOMAIN-A.COM
default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN-A.COM = {
kdc = domain-a.com
admin_server = domain-a.com
}
[domain_realm]
.domain-a.com = DOMAIN-A.COM
domain-a.com = DOMAIN-A.COM
Is there any way I can configure Kerberos (or maybe Configure Active Directory or KDC) to make it happen?
Or some completely another approach to this problem? Like something else than Kerberos?
You're OK on the "User B is a member of the domain local security group A" part. But what I think is wrong is your krb5.conf doesn't contain any references to domain B. So it won't know where to go to validate the Kerberos ticket. See an MIT example of an krb5.conf containing two domains . If it still doesn't work after editing the krb5.conf according to the example please update your question with what the latest one looks like.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.