Kerberos Multi domain same forest

system · August 11, 2009, 6:31pm

There are three domains in my environment. DomainA, DomainB, and DomainC. DomainA is the parent domain, B and C are child domains. There are no user accounts in A. There is a transitive trust between A and B and A and C. DomainB and DomainC don’t have a trust between them. I can get manual kerberos to function if I set the default domain to either DomainB or DomainC and use an account name in those domains. If the default domain is set to DomainB and I login with an account from DomainC I have to use the fully qualified domain name in the UPN. I of course want to be able to login users of both domains without FQDN’s. Can someone post an example krb5.ini that should do what I need, or is it not possible?

Thanks

brewdude (BOB member since 2004-09-21)

system · August 12, 2009, 4:29am

I’m busy with this as well and as far as I’m aware you have to use the FQDN for non default Domains.
I’m not sure if I read this in the manual or in here or on the SAP forum, but I did list this as one of the caveats to the org.

MikeD (BOB member since 2002-06-18)

system · August 12, 2009, 10:50am

Thanks for the reply. I haven’t tackled the issue yet, but what implications does that have on SSO? It seems to me that SSO would only work on the domain configured as “default”. Anyone else out there have experiences that are similar?

brewdude (BOB member since 2004-09-21)