Kerberos referrals

[Josh Howlett]

Kerberos referrals have been implemented in Heimdal and MIT (with a 
patch from UMich) and, of course, Windows.

My understanding is that Kerberos referrals are used to permit 
cross-realm authentication against remote realms that are not explicitly 
configured in the client's configuration.

Of particular interest to me is that the MIT implementation permits 
referral of requests for unknown realms to a "default" KDC, with the 
assumption that this other KDC knows what to do with the request. I 
believe that the purpose of this is to enable the construction of a 
multiple-level hierarchy of KDCs, with a root KDC at the top from which 
all realms are reachable.

This is well and good, but in a typical environment the clients (W2K 
clients) will only talk in the first instance to a W2K KDC, and these 
KDCs do not permit the configuration referral to a "default" KDC in the 
event that the realm of the server principal is unknown.

Therefore, in order to permit referral of clients to a "default" KDC and 
the construction of an arbitrary multi-level hierarchy, it would appear 
necessary to intercept and service the application ticket request from 
the client *before* it reaches the Windows KDC (because it will simply 
return an error). This implies a "kerberos proxy" agent, which is 
transparent for local realm requests, but catches non-local realm 
requests and forwards them to the KDC which handles these remote realms.

Does this make sense? Is it feasible? Or have I completely lost my marbles?

I'm aware that there are some significant practical difficulties with 
this approach (ie. how does the proxy agent retrieve the user's secret 
from the Windows KDC to generate a valid referral?). If anyone can point 
out any more pitfalls, I would be very grateful so I can stop wasting my 
time on this :-)

Many thanks, josh.