restriction of AS based on requestor

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Mar 19 11:36:09 EST 2004


Mihai RUSU wrote:
> Hi
> 
> I wonder if its possible to configure something on the KDC side to "show" 
> to some "service" requestors only some users. I mean because KDC manages 
> the auth info it whould be the perfect place were to allow some users to 
> use some service, others to use other service and so on. Curently to me it 
> seems KDC allows all users in the same realm to access all services.
> 
> PS: of course there is the posibility to have some more "service" side 
> checks to allow only some users but what is the purpose of having 
> KDC/Kerberos if not to manage such things from a single location ?
> 
> Thanks!
> 

The KDC provides authentication information only.  It does not provide
authorization data.  It is the responsibility of the service to check
via some other means whether or not the client who has authenticated
has the necessary privileges or not to access the service.

Jeffrey Altman


More information about the Kerberos mailing list