I have a Windows domain - domainA, with an Apache web server on Red Hat 5 and everyone in that domain can access the website. DomainA has a forest trust with Domain B. When a user from domain B tries to access the website, he keeps getting prompted for credentials. Below is what I'm seeing in /var/log/httpd/error_log of the Apache web server. Can anyone help me out with this? I'm not sure why domainB users can't access the site. Thanks a lot. [Fri Sep 10 13:33:53 2010] [debug] src/mod_auth_kerb.c(594): [client 192.168.2.34] Trying to verify authenticity of KDC using principal HTTP/lpweb01.domaininc.com@domainINC.COM [Fri Sep 10 13:34:04 2010] [debug] src/mod_auth_kerb.c(1019): [client 192.168.2.34] kerb_authenticate_user_krb5pwd ret=0 user=ltdtemp@domainLTD.COM authtype=Basic [Fri Sep 10 13:34:04 2010] [debug] src/mod_auth_kerb.c(1485): [client 192.168.2.34] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Fri Sep 10 13:34:04 2010] [debug] src/mod_auth_kerb.c(940): [client 192.168.2.34] Using HTTP/lpweb01.domaininc.com@domainINC.COM as server principal for password verification [Fri Sep 10 13:34:04 2010] [debug] src/mod_auth_kerb.c(680): [client 192.168.2.34] Trying to get TGT for user ltdtemp@domainINC.COM [Fri Sep 10 13:34:04 2010] [error] [client 192.168.2.34] krb5_get_init_creds_password() failed: Client not found in Kerberos database [Fri Sep 10 13:34:04 2010] [debug] src/mod_auth_kerb.c(680): [client 192.168.2.34] Trying to get TGT for user ltdtemp@domainLTD.COM

Hi, Are both Domain A and Domain B Windows domain? According to the error "Client not found in Kerberos database ", it seems that the account could not be found in the AD database. To narrow down the cause of the issue, you can access a share folder in domain A with the account from domain B and check the result. If it works, the issue could be more related to the Apache server. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.