[39517] in Kerberos
Re: IAKERB Starter Credentials Solution
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Apr 27 01:48:46 2025
Message-ID: <fa4f4827-2be9-442f-b1d6-47bc871aa4fa@mit.edu>
Date: Sun, 27 Apr 2025 01:48:30 -0400
MIME-Version: 1.0
To: Michael B Allen <ioplex@gmail.com>, kerberos <kerberos@mit.edu>
Content-Language: en-US
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <CAGMFw4jy=ceiETpLu9Aa1W0TYnjHedW3DMx7fss4XFrD-HzN=w@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 4/26/25 10:39, Michael B Allen wrote:
> Another method would be to modify kinit to optionally authenticate with an
> IAKERB-aware service and cache the resulting TGT in the usual way.
>
> More specifically, add an option to krb5.conf like:
>
> [libdefaults]
> iakerb_idp = https://idp1.mega.corp/do/iakerb
If the goal is simply to tunnel an AS/TGS exchange over https using a
web server set up for that purpose, I think MS-KKDCP is a more natural
fit than IAKERB. See:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/https.html
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
