in Kerberos
Re: service that communicates with different KDCs
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Nov 5 10:56:54 2010
From: Greg Hudson <firstname.lastname@example.org>
To: Ben <email@example.com>
Date: Fri, 05 Nov 2010 10:56:46 -0400
Cc: "firstname.lastname@example.org" <email@example.com>
Content-Type: text/plain; charset="us-ascii"
On Thu, 2010-11-04 at 06:53 -0400, Ben wrote:
> The problem is that it's a webservice that
> possibly needs to communicate with different KDCs.
Kerberos services don't actually need to communicate with KDCs unless
they also act as Kerberos clients for some reason.
> Is it possible to allow this application to
> authenticate users from different KDC's.
Yes, this is possible.
> My main concern is that you need time synchronisation, which is quite
> difficult if multiple clients want to use their own KDC server.
One would hope that all of the KDCs are within a few seconds of the
Kerberos mailing list Kerberos@mit.edu