Kerberos: Error getting cross-realm tgt, Windows Server 2003
Hi, hope anyone can help with the following:
I'm getting the error below whenever a Java GSS-based application tries to obtain a cross-realmticket from the local AD domain to another AD domain running onWS2003SP2:
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWNExtended Error: Client Realm: Client Name: Server Realm: LOCAL.DOMAIN.COMServer Name: cifs/local.domain.domTarget Name: cifs/local.domain.com@LOCAL.DOMAIN.COMFrom the Java log I can see that whatthe app.actually asks for is 'krbtgt/domain.com@LOCAL.DOMAIN.COM', i.e. a cross-realm tgt from LOCAL.DOMAIN.COM to 'domain.com' (asthe first step in the process to get a ticket for aservice on 'domain.com').
Thetwo AD domainsare in the same forest and have been set up with mutual trust.
Can anyone tell my why/how a request for the SPN'krbtgt/...' results in a failure on 'cifs/...'? What can I do to debug this issue?
Thanks in advance
/Ren
January 17th, 2008 6:34pm