[39518] in Kerberos
Re: IAKERB Starter Credentials Solution
daemon@ATHENA.MIT.EDU (Michael B Allen)
Sun Apr 27 08:55:21 2025
MIME-Version: 1.0
In-Reply-To: <fa4f4827-2be9-442f-b1d6-47bc871aa4fa@mit.edu>
From: Michael B Allen <ioplex@gmail.com>
Date: Sun, 27 Apr 2025 08:53:43 -0400
Message-ID: <CAGMFw4gG9yS3Mx_Pt2hTYDEv30xbDgx7Vue7n7RNWPdqwtXwhg@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sun, Apr 27, 2025 at 1:48 AM Greg Hudson <ghudson@mit.edu> wrote:
> On 4/26/25 10:39, Michael B Allen wrote:
> > Another method would be to modify kinit to optionally authenticate with
> an
> > IAKERB-aware service and cache the resulting TGT in the usual way.
> >
> > More specifically, add an option to krb5.conf like:
> >
> > [libdefaults]
> > iakerb_idp = https://idp1.mega.corp/do/iakerb
>
> If the goal is simply to tunnel an AS/TGS exchange over https using a
> web server set up for that purpose, I think MS-KKDCP is a more natural
> fit than IAKERB. See:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/https.html
>
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/
>
Yes!
This is better. It's basically the same just more direct and apparently
already implemented.
Will the MITK gss initiators use the HTTPS proxy to get TGS tickets too?
That would dodge IAKERB entirely.
Thanks,
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
