[37899] in Kerberos
RE: Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT
daemon@ATHENA.MIT.EDU (Osipov, Michael)
Wed Mar 15 11:42:28 2017
From: "Osipov, Michael" <michael.osipov@siemens.com>
To: Greg Hudson <ghudson@mit.edu>, Sean Elble <elbles@sessys.com>
Date: Wed, 15 Mar 2017 15:39:49 +0000
Message-ID: <68644224DA0DE64CA5A49838ED219A0425C0F15E@DEFTHW99EJ5MSX.ww902.siemens.net>
In-Reply-To: <743e2549-919b-a13d-2ab0-d0f9d9a16ce2@mit.edu>
Content-Language: de-DE
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On 03/15/2017 10:56 AM, Osipov, Michael wrote:
> >> * The host-based service referrals mechanism also seems promising, and
> >> you're certainly running a new enough version of Kerberos to
> accommodate
> >> it. I have not personally used it (yet), but it maintains security
> >> whereas the DNS lookup mechanism does not.
>
> > This applies only if your KDC is MIT Kerberos. All of our KDCs
> > are Active Directory servers. We use MIT Kerberos for only for clients.
>
> Referrals were actually implemented first by Microsoft and later by us.
> The KDC does have to know when to issue a referral to another realm for
> a service principal, and I don't know whether it's possible to configure
> that to happen across forests in Active Directory.
So there is basically no way to tell MIT Kerberos if you home realm is
unable to route the request, it should try other realms, correct?
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
