Hi
I am trying to setup VCO PS plugin and can only make it work if my host is in the same realm as the one defined in"default_realm" in the krb5.conf. See krb5 example below:
[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
CHILD1.EXAMPLE.COM = {
kdc = ckdc1.child1.example.com
}
CHILD2.EXAMPLE.COM = {
kdc = ckdc2.child2.example.com
}
With the above krb5.conf , I am only able to authenticate if my Powershell host has a name such as "PSHOST.EXAMPLE.COM". If I try to connect to another host such as PSHOST.CHILD1.EXAMPLE.COM it fails. The network capture for failed authentication indicates that I am able to get a valid TGT for the user from correct domain but than the VCOstart to search for SPN in the domain/realm given in default_realm. So if my userid is user@CHILD1.EXAMPLE.COM, the kerberos TGT is correctly given by "ckdc1.child1.example.com" but for TGS (which is HTTP/PSHOST.CHILD1.EXAMPLE.COM) the client searches in the kdc for EXAMPLE.COM which doesn't have it and this fails the authentication. If I change my default_realm to "CHILD1.EXAMPLE.COM" everything works as expected.
All domains are part of the same AD forest with two way transitive trusts.
Any help is resolving this issue is appreciated.