using MIT-Kerberos in an NAT environment

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Dec 15 16:24:05 EST 2006


>We are using kerberos v5 authentication for a centrally hosted
>application. Some sites now have to be attached via NAT due to
>overlap in IP address ranges. We got the same problem as mantioned
>below at password changes ([MitKerberosChangePasswordService : 148]
>Server error: Failed decrypting request).
>
>Is there a work around to use a central kerberos authentication instance
>with locations attached via NAT. Using cross realm authentication seems not
>to be a practical solution, as  more small sites may have to be attached
>and administration of the user accounts should be central. 

For years I have been running with a small change to the Kerberos
server that allows password changing to work when the client is
behind a NAT.  That is a reasonable option, IMHO (as opposed to
waiting an unspecified amount of time for the implementation of a
new password change protocol, and then waiting an even longer unspecified
time for that protocol to be deployed).

--Ken



More information about the Kerberos mailing list