Kerberos referrals
Kevin Coffman
kwc at citi.umich.edu
Wed Nov 9 16:25:04 EST 2005
On 11/9/05, Josh Howlett <josh.howlett at bristol.ac.uk> wrote:
> Kevin Coffman wrote:
> > We started with a patch that assumed all referrals would go to one place.
> >
> > We had a need to send referrals to either a test Windows forest or a
> > production forest. That is where the [domain_referral] stuff came
> > from. Then we found that some requests were coming in without
> > fully-qualified names, and therefore we could not determine the
> > "right" place for the referral. For those requests, we send the
> > referral to the default place, which in our case is to the production
> > forest.
>
> Kevin,
>
> Do you think it would be possible to introduce an MIT KDC into an
> existing AD environment, such that W2K clients in the AD realm (if
> making a request for an unknown principal) can get referred to the MIT
> KDC's "default" place?
I think you're asking if an AD KDC can send a client a referral to an
MIT KDC. If that is correct, then I don't know the answer. If it
isn't correct, could you restate the question?
More information about the Kerberos
mailing list