using MIT-Kerberos in an NAT environment
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Dec 15 16:24:05 EST 2006
>We are using kerberos v5 authentication for a centrally hosted
>application. Some sites now have to be attached via NAT due to
>overlap in IP address ranges. We got the same problem as mantioned
>below at password changes ([MitKerberosChangePasswordService : 148]
>Server error: Failed decrypting request).
>
>Is there a work around to use a central kerberos authentication instance
>with locations attached via NAT. Using cross realm authentication seems not
>to be a practical solution, as more small sites may have to be attached
>and administration of the user accounts should be central.
For years I have been running with a small change to the Kerberos
server that allows password changing to work when the client is
behind a NAT. That is a reasonable option, IMHO (as opposed to
waiting an unspecified amount of time for the implementation of a
new password change protocol, and then waiting an even longer unspecified
time for that protocol to be deployed).
--Ken
More information about the Kerberos
mailing list