Ops feedback notes 2014-09-02
One-way trust between Windows and MIT. Global identity in Windows. Auth to Unix. Pain point getting Windows client to know when a service is in a different realm. There is no Windows equivalent to wildcarding mapping of domain names to realm names; had to enumerate subdomains.
Windows native client should be able to follow realm referrals. It might not be obvious how to configure this on the DC though.
Difficulties configuring MIT client to do PKINIT to a Windows KDC. Docs for MIT PKINIT client are less useful than docs for MIT PKINIT server.
Apparently there are some problems with AES256 support on Java 7, 8 on Linux, with a Windows KDC. The AS-REQ works but not the TGS-REQ. We need a few more details before we can diagnose.