[36634] in Kerberos
Re: PPTP / L2TP with Kerberos -- what specs does it follow?
daemon@ATHENA.MIT.EDU (Rick van Rein)
Sun Nov 30 05:09:43 2014
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <201411300542.sAU5gdRn018905@hedwig.cmf.nrl.navy.mil>
Date: Sun, 30 Nov 2014 11:09:22 +0100
Message-Id: <F41D7A89-73C8-4E74-A22B-15AA9F36CE2C@openfortress.nl>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
I was also surprised about the fear of opening a KDC up to the public, but...
> The idea of making the Active Directory
> server reachable from the public internet is simply frightening to them.
…in this specific vendor case I can imagine. The closedness of the code,
combined with the track record of this particular vendor in security matters
would make me think again. That is perhaps FUD-based reasoning.
> http://technet.microsoft.com/en-us/library/dn509513.aspx
>
> The key quote here:
>
> Domain controllers and AD FS servers should never be exposed
> directly to the Internet and should only be reachable through the
> VPN connection.
This is a very general statement, and is too broad to conclude that the
Kerberos5 p[ao]rt should be confined to a LAN.
> Also, I suspect that many AD administrators don't see the need; why
> would you ever take a managed computer outside of the intranet?
The modern keyword “mobility” springs to mind…
And of course “SSO” as a clinching argument for users…
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
