Skip Menu |

From: Mukul Agarwal <>
To: "" <>
Date: Mon, 21 Nov 2011 21:36:08 +0530
Subject: S4U cross realm error

Dear Kerberos experts,

I am working on some use case of constrained delegation wherein I am 
trying to get service ticket for a service using delegated user on 
behalf of an end user. I am experimenting this using "kvno" tool where 
I am getting correct service ticket if user and service is in the same 

However I am getting following error for cross realm scenario when end 
user and service is in different domain (I have setup 2 way trust for 

>kinit -f delegate_user@FOREST2.COM 
>kvno -k delegate.keytab  -U test1@FOREST1.COM -P cifs/ 

kvno: Server not found in Kerberos database while getting credentials 
for cifs/ 

Here "delegated_user" (part of forest2) is trying to get service ticket for 
CIFS  (in forest2) on behalf of user "test1" (in forest1). 

Any help is appreciate.