Cross domain trust

Background

Kerberos supports authentication across domain and forest trusts. (See How Domain and Forest Trust Work from Microsoft)

In short: Kantega SSO can authenticate users in domains A and B using a keytab issued using a service account in domain C.

This requires that domains A and B have a trust relationship with domain C.

In addition to the trust relationships, there are also some requirements for your network infrastructure.

To understand this better, let us consider an example:

Cross-domain authentication example:

First, the facts:

Windows user

janedoe@EXAMPLE.LOCAL

JIRA running at

jira.company.com

JIRA's Service Principal Name

HTTP/jira.company.com

JIRA's service account

svc-jira-sso@HQ.COM 

Domain trust

EXAMPLE.LOCAL <=> HQ.COM

 

Or using words:

Windows user janedoe@EXAMPLE.LOCAL wants to sign in to a JIRA instance running at URL https://jira.company.com

The service principal name HTTP/jira.company.com is mapped to the service account svc-jira-sso@HQ.COM. EXAMPLE.LOCAL and HQ.COM are domains in the same forest, having a domain trust relationship with each other.

When Jane attempts to access JIRA, the following happens:

  • Jane's browser first connects to a domain controller, for EXAMPLE.LOCAL, requesting a Kerberos service ticket for the SPN HTTP/jira.company.com

  • Since this SPN does not exist in EXAMPLE.LOCAL domain, the domain controller searches the Global Catalog instead and finds the service account svc-jira-sso@HQ.COM

  • The EXAMPLE.LOCAL domain controller responds to the browser with a Ticket Granting Ticket for janedoe@EXAMPLE.LOCAL in the HQ.COM domain

  • Jane's browser now connects to an HQ.COM domain controller, again requesting a Kerberos service ticket for the SPN HTTP/jira.company.com

  • The HQ.COM domain controller issues a service ticket for service HTTP/jira.company.com@HQ.COM and user janedoe@EXAMPLE.LOCAL

  • Kantega SSO validates that the ticket is valid and authenticates janedoe@EXAMPLE.LOCAL

For this to work, all users in EXAMPLE.LOCAL must have network access to request tickets from HQ.COM domain controllers. If a firewall prevents this, Kerberos authentication will fail.