Filter
Top Products
Managing Multiple Realms
Hierarchical Interrealm Trust
Chapter 10 281
Hierarchical Interrealm Trust
You need to use hierarchical interrealm authentication when a realm
does not have a direct path to its destination realm, but has a path to an
intermediate realm.
Hierarchical Chain of Trust
Interrealm trust can be transitive, for example, if realm A trusts B and B
trusts C, then a client in A can get a ticket from C by following the trust
path from A to B to C.
For example, consider realm 1 as X.Y.A , realm 2 as X.Y.C, and realm 3
as X.Y.B with the following direct trust relationships established
between them.
• Realm X.Y.A has a direct trust link to realm X.Y.B.
• Realm X.Y.B has a direct trust link to realm X.Y.C.
In such a configuration, the client walks the realm tree from node X.Y.A
to X.Y.C by requesting an interrealm TGT from each intermediate realm
(in this example, X.Y.B), until it obtains the service ticket from X.Y.C.
Although creating such hierarchical trusts is more efficient than
attempting to configure each server with knowledge of all possible
interrealm trust relationships, the client must still perform the realm
tree computation, map each realm to a security server host name, and
request an interrealm TGT from each realm in the path.
In addition, the Kerberos protocol requires the client to know the exact
realm of each service it needs to authenticate to. In the previous
example, the client in X.Y.A must know that the service it wants to
access belongs to realm X.Y.C.
Assume that a client in the realm RED.BLUE.COM needs to authenticate
to a service located in the realm GREEN.YELLOW.COM, but realm
RED.BLUE.COM does not have a direct trust relationship established with
the realm GREEN.YELLOW.COM.
Now, VIBGYOR.INDIGO.COM has a direct trust relationship established
with both RED.BLUE.COM and GREEN.YELLOW.COM. Hence, RED.BLUE.COM
can obtain an interrealm ticket through the intermediate realm,
VIBGYOR.INDIGO.COM. The client in RED.BLUE.COM requests an