Support Center > Search Results > SecureKnowledge Details
Kerberos SSO authentication using principle name from another Domain / DNS Server does not work Technical Level
Symptoms
  • Kerberos SSO authentication using principle name from another Domain / DNS Server does not work.

    Example scenario:

    1. An environment with a domain and a sub-domain (they have mutual trust).
    2. An AU is configured for both of the domains.
    3. Kerberos SSO account is created for one of these domains.
Cause

Currently, Kerberos SSO authentication is allowed only when principle was defined for the same domain as the user/machine (by running ktpass on the DC). Kerberos authentication performs a simple string comparison ("principle domain" is not equal "entity domain").


Solution
Note: To view this solution you need to Sign In .