Cross-realm network traffic...
Jeffrey Altman
jaltman2 at nyc.rr.com
Thu Nov 17 16:08:19 EST 2005
Jiva DeVoe wrote:
> In the case of cross-realm authentication (ie: user at REALM1.COM
> authenticating to service/foo at REALM2.COM) does any traffic pass between
> either the respective KDCs or does the user at REALM1.COM client need to
> contact the KDC in REALM2?
>
> The context of the question is: if I have one or the other of the two
> realms behind a firewall, do I need to open any additional ports besides
> the traffic port for my service in order to support kerberos
> authentication?
>
> (This is of course assuming the cross-realm principals are configured
> appropriately in each realm.)
The client talks to a KDC in each realm in order to obtain the
TGTs for each realm. KDCs from different realms do not talk to one
another.
Firewalls should not block port 88/udp or 88/tcp. Otherwise, clients
cannot obtain tickets.
Jeffrey Altman
More information about the Kerberos
mailing list