Kerberos referrals

Kevin Coffman kwc at citi.umich.edu
Wed Nov 9 16:25:04 EST 2005


On 11/9/05, Josh Howlett <josh.howlett at bristol.ac.uk> wrote:
> Kevin Coffman wrote:
> > We started with a patch that assumed all referrals would go to one place.
> >
> > We had a need to send referrals to either a test Windows forest or a
> > production forest.  That is where the [domain_referral] stuff came
> > from.  Then we found that some requests were coming in without
> > fully-qualified names, and therefore we could not determine the
> > "right" place for the referral.  For those requests, we send the
> > referral to the default place, which in our case is to the production
> > forest.
>
> Kevin,
>
> Do you think it would be possible to introduce an MIT KDC into an
> existing AD environment, such that W2K clients in the AD realm (if
> making a request for an unknown principal) can get referred to the MIT
> KDC's "default" place?

I think you're asking if an AD KDC can send a client a referral to an
MIT KDC.  If that is correct, then I don't know the answer.  If it
isn't correct, could you restate the question?



More information about the Kerberos mailing list