Kerberos referrals
Ken Raeburn
raeburn at MIT.EDU
Thu Nov 10 01:56:25 EST 2005
On Nov 9, 2005, at 21:19, Saber Zrelli wrote:
> I read this draft and I am trying to understand how referrals work.
>
> In section 8. "Cross realm routingi", It is said that for server
> referrals, the KDC takes in charge the optimization of the referral
> path because it has more information about cross-realm routing.
>
> Does this mean that the KDC will provide the client with a TGT and
> the target realm (where the service is located) in the
> PA-SERVER-REFERRAL of the reply ?
That's sort of the idea, yes. Though Larry Zhu and I were discussing
today what happens if the local KDC has no cross-realm key for the
target realm, but can refer you to an intermediate realm which may
not be able to do referrals; I think the draft is going to need some
work to cover that case.
Ken
More information about the Kerberos
mailing list