Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT Kerberos
Greg Hudson
ghudson at mit.edu
Wed Mar 15 11:46:46 EDT 2017
On 03/15/2017 11:39 AM, Osipov, Michael wrote:
> So there is basically no way to tell MIT Kerberos if you home realm is
> unable to route the request, it should try other realms, correct?
No; we have a fallback realm mechanism in the TGS client code, but it
only tries one realm (determined by TXT records or DNS heuristics) and
you can't configure a list.
We haven't implemented a TGS realm search path because:
1. It's not completely secure, in that an attacker can forge error
messages to make the client walk the list past the ideal destination for
a given service. FAST TGS was supposed to fix this, but for various
reasons it doesn't.
2. The TGS client code is already really complicated, and we're
reluctant to add more complexity to code that is hard to understand as
it is.
3. There are some caching concerns, which if left unaddressed would lead
to a lot of repeated TGS requests to the earlier realms.
That said, I'm told Heimdal recently added support for a feature like
this, so if Microsoft does as well, that makes us the odd one out, and
we should perhaps reconsider.
More information about the Kerberos
mailing list