[36192] in Kerberos
Re: Advice on cross-realm PKINIT?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 9 15:55:19 2014
Message-ID: <53961113.2070306@mit.edu>
Date: Mon, 09 Jun 2014 15:54:59 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>,
"kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D4984@001FSN2MPN1-044.001f.mgd2.msft.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/09/2014 03:28 PM, Nordgren, Bryce L -FS wrote:
> How do I set up PKINIT so that the principal: 1] does not have to exist in the local database; and 2] can be from a non-local realm?
The Kerberos protocol does not support cross-realm AS requests. The
definition of KDC-REQ-BODY in RFC 4120 section 5.4.1 contains only one
realm (at the ASN.1 level, a PrincipalName does not include the realm)
which is used for both the client and server principal. So the requests
in the second and third example is actually for a TGT in the
EXTERNAL.ORG realm (presumably krbtgt/EXAMPLE.COM@EXTERNAL.ORG), which
cannot be served from the EXAMPLE.COM KDC.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
