[37898] in Kerberos
Re: Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 15 11:38:06 2017
To: "Osipov, Michael" <michael.osipov@siemens.com>,
Sean Elble <elbles@sessys.com>
From: Greg Hudson <ghudson@MIT.EDU>
Message-ID: <743e2549-919b-a13d-2ab0-d0f9d9a16ce2@mit.edu>
Date: Wed, 15 Mar 2017 11:37:43 -0400
MIME-Version: 1.0
In-Reply-To: <68644224DA0DE64CA5A49838ED219A0425C0F0FF@DEFTHW99EJ5MSX.ww902.siemens.net>
Cc: "kerberos@mit.edu" <kerberos@MIT.EDU>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On 03/15/2017 10:56 AM, Osipov, Michael wrote:
>> * The host-based service referrals mechanism also seems promising, and
>> you're certainly running a new enough version of Kerberos to accommodate
>> it. I have not personally used it (yet), but it maintains security
>> whereas the DNS lookup mechanism does not.
> This applies only if your KDC is MIT Kerberos. All of our KDCs
> are Active Directory servers. We use MIT Kerberos for only for clients.
Referrals were actually implemented first by Microsoft and later by us.
The KDC does have to know when to issue a referral to another realm for
a service principal, and I don't know whether it's possible to configure
that to happen across forests in Active Directory.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
