projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3
star

Referral Patch

Patch to allow referrals to multiple Windows 2000 domains.

This is a modification of a patch written by Microsoft and obtained from MIT. Our modification allows referrals to more than one W2K forest from a single MIT realm. We needed this to allow referrals to both a test and production forest...

UPDATES:

  • 11/12/2008: Add patch for the MIT 1.6.3 release.
  • 4/29/2008: Add patch for the MIT 1.4.3 release. This patch also includes a fix to not return authorization data in a referral ticket. Vista SP1 clients reject the referral ticket if it contains authorization data. It also includes a fix supplied by Phil Pishioneri which ignores a port number appended to the service principal name.
  • 11/16/2005: Update patch for the MIT 1.4.2 release to add krb5_get_host_referral_realm to the list of exported symbols from libkrb5.so.
  • 11/9/2005: Add patch for the MIT 1.4.2 release.
  • 7/19/2004: Add patch for the MIT 1.3.4 release.
  • 3/24/2004: Add patch for the MIT 1.3.1 release.
  • 5/20/2002: Add patch for the MIT 1.2.5 release.
  • 3/13/2002: Include fix for memory leak in the patch.
  • 12/14/2001: This is an update to the original patch that was posted here. We were having problems with W2K requests coming in with short names. Without a fully-qualified DNS name of the requested service, we cannot determine where the referral should go. This update adds back use of the referral_realm entry in the realm stanza of the config file as used in the original Microsoft patch. If the correct referral destination cannot be determined by using the host name in the request, then the referral is made to the default referral realm as configured by the referral_realm entry.

Here is an example of our domain_referral stanza that we added to our KDC's krb5.conf file. This is only required in the KDC's config file. (See below for client configuration.)

Here is the original patch we received from MIT (believed to be written by Microsoft).

Client Configuration

There is also some client configuration necessary in order to get this to work. The Windows 2000 clients must include a RealmFlags for the MIT realm against which it does it's initial authentication.

There is an /AddRealmFlag option on the ksetup command. This should be set to 0x8. This option was not available in SP1, it may be in SP2? Alternatively, you can set the Registry entry directly:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains MIT.NTDEV.MICROSOFT.COM KdcNames = REG_MULTI_SZ "mitrealm.dns.microsoft.com" KpasswdNames = REG_MULTI_SZ "mitrealm.dns.microsoft.com" RealmFlags = REG_DWORD 8

Comments? Suggestions? Send them to: iaa@umich.edu

References since 09/09/2002
Referrals

blank.space
b.star projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan
bottom.line
citi