Establishing Cross-Realm Trust between Active Directory and Novell KDC



By: akumar

September 26, 2007 12:31 pm

Reads:457

Comments:0

Score:Unrated

Authored by: Anil Kumar Sekhara & Ashish Kumar

Overview

This AppNote describes the process of logging in to a Windows XP member machine with Novell KDC credentials, using Interoperability between Novell KDC and Microsoft KDC (Active Directory).

Objective

The objective is to log in to a Windows machine that is part of an Active Directory Domain, using credentials of a user principal in a Novell KDC realm. Cross-realm trust is used between Active Directory and Novell KDC.

This AppNote will explain how to configure cross-realm trust between Active Directory and Novell KDC, so that any Novell KDC user should be able to log in into domain member machine of Active Directory.

Prerequisite

Novell KDC1.5 and Active Directory (with Windows 2003 Server) should be installed and be able to contact each other.

Establishing Cross-Realm Trust

A cross-realm trust is established between the Novell KDC realm and Active Directory so that Novell KDC users are authorized for access to resources inside of the Active Directory domain. Also, because users can log in to member machines of the Active Directory domain, they can access Windows services seamlessly.

Setup Process

The basic steps in the setup process are described below.

Step 1: Provide the Name and Location of the NKDC Server

The Windows XP machine should know the name and location of the NKDC server in order authenticate to NKDC (as the user belongs to NKDC realm). For this, information must be stored in the Windows registry. The ksetup utility is used, which comes with the Windows Support Tools available on the Windows CD.

1. Run the ksetup utility at the command prompt, as shown below:

ksetup.exe  /addkdc  NKDC_REALM_NAME   machineNameOfNovellKDC

An example run is shown in Figure 1.

Click to view.

Figure 1

Figure 1 – Adding an NKDC realm

Step 2: Reboot the Windows XP Machine

Reboot the Windows XP machine (a domain member) for the registry entries to take effect. Newly added Novell KDC information is inserted into the registry at ?HKEY_LOCAL_MACHINE\system\currentControlSet\Control\Lsa\Kerberos\Domains? as shown in Figure 2.

Click to view.

Figure 2

Figure 2 – Registry info for NKDC

Step 3: Establish Cross-Realm Trust between Active Directory and the Novell KDC Realm

Note: The password chosen for cross-realm trust must be same on both Active Directory (configured on Windows 2003 Server) and NKDC while creating cross-realm trust. This is the shared secret between Novell KDC and Active Directory.

NKDC Server Configuration

1. Add the following two krbtgt principals using kadmin.local with encryption type as des:normal

krbtgt/NKDC_REALM@AD-DOMAIN-NAME 
krbtgt/AD-DOMAIN-NAME@NKDC_REALM

Example:

st-nf-cli-185:/opt/novell/kerberos/sbin # kadmin.local
Authenticating as principal administrator/admin@CERT1.COM with password.

kadmin.local:  addprinc -e des:normal krbtgt/CERT1.COM@NKDC185.com
WARNING: no policy specified for krbtgt/CERT1.COM@NKDC185.com; defaulting to no policy
Enter password for principal "krbtgt/CERT1.COM@NKDC185.com":
Re-enter password for principal "krbtgt/CERT1.COM@NKDC185.com":
Principal "krbtgt/CERT1.COM@NKDC185.com" created.

kadmin.local:  addprinc -e des:normal krbtgt/NKDC185.com@CERT1.COM
WARNING: no policy specified for krbtgt/NKDC185.com@CERT1.COM; defaulting to no policy
Enter password for principal "krbtgt/NKDC185.com@CERT1.COM":
Re-enter password for principal "krbtgt/NKDC185.com@CERT1.COM":
Principal "krbtgt/NKDC185.com@CERT1.COM" created.

Win2K3 Server (AD) Configuration

1. Log in to Windows 2003 server, using an account that has Domain Administrator privileges.

2. Open Active Directory domain and trusts by clicking Start > Programs > Administrative Tools > Active Directory Domains and Trusts.

3. Right-click on Domain and select Properties.

4. Add the Novell KDC Realm to be trusted by Active Directory by clicking on Trusts and then New Trust, as shown in Figure 3.

Click to view.

Figure 3

Figure 3 – cert1.com Properties

Then complete the steps as shown in Figures 4-13 below.

Click to view.

Figure 4

Figure 4 – New Trust Wizard

Click to view.

Figure 5

Figure 5 – cert1.com Properties

Click to view.

Figure 6

Figure 6 – New Trust Wizard

Click to view.

Figure 7

Figure 7 – Trust Name

Click to view.

Figure 8

Figure 8 – Trust Type

Click to view.

Figure 9

Figure 9 – Direction of Trust

Note: While setting the password for the trusted domain under “Domains trusted by this domain” on the AD server, use the same password associated with the krbtgt/CERT1.COM @NKDC185.com principal created in NKDC, using kadmin.local.

Click to view.

Figure 10

Figure 10 – Trust Password

Click to view.

Figure 11

Figure 11 – Trust Selections Complete

Click to view.

Figure 12

Figure 12 – Completing the New Trust Wizard

Once the trusted domain is added, it should be displayed as shown in Figure 13.

Click to view.

Figure 13

Figure 13 – cert1.com Properties

Note: By default, the trust setup using the above method is transitive, which means that child domain members of Active Directory can also authenticate against Novell KDC. This trust can be marked as non-transitive in the Active Directory server using the netdom tool (available with the Microsoft Support Tools) as follows:

C:\Program Files\Support Tools> netdom  TRUST CERT1.COM  /Domain:NKDC185.com /Transitive:no

Step 4: Create a User Principal

Create a user principal that will be used to log in to the member machine of AD, using kadmin.local in the Novell KDC.

Example:

st-nf-cli-185:/etc/init.d # kadmin.local
Authenticating as principal
administrator/admin@CERT1.COM with password.

kadmin.local:  addprinc userinNKDC
WARNING: no policy specified for
userinNKDC@NKDC185.com; defaulting to no policy
Enter password for principal "userinNKDC@NKDC185.com":
Re-enter password for principal
"userinNKDC@NKDC185.com":
Principal "userinNKDC@NKDC185.com" created.

Step 5: Map an AD User to a Novell KDC User

Map an existing Active Directory user to a Novell KDC user principal created in Step 4, on the Active Directory server. This mapping provides an authentication relationship between the user in the Novell KDC realm and the user identity in Active Directory. You can do this through the Active Directory Users and Computers tool as follows:

1. Open the Active Directory Users and Computers tool (Start > Programs > Adminstrative Tools > Active Directory Users and Computers).

2. Ensure that the Advanced Features menu item is checked in the View menu, as shown in Figure 14.

Click to view.

Figure 14

Figure 14 – Selecting Advanced Features

3. Locate the Active Directory user account to which the Novell KDC user principal should be mapped.

4. Right-click the username and select the Name mapping tab.

5. Click Add.

6. Specify the name of the Novell KDC user principal.

7. Click OK.

Click to view.

Figure 15

Figure 15 – Security Identity Mapping

Step 6: Completing the Login Process

In the Windows XP domain member machine, the windows Login screen Novell KDC realm should be shown in the “Log on to” dropdown box.

1. Enter the User principal credentials of the Novell KDC realm.

2. Select the Novell KDC Realm.

3. Click on Login.

Authentication should be successful, and the user should be able to log in to the Windows XP machine using the Novell KDC user principal credentials.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading ... Loading ...

Tags: ,
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment