Kerberos proxy for implementing referrals
Richard E. Silverman
res at qoxp.net
Wed May 24 12:25:39 EDT 2006
I'm considering the use of a Kerberos proxy, to solve the problem of being
unable to do cross realm authentication though a Windows realm to an MIT
one, due to Windows not issuing referrals for external realms. The proxy
would issue referrals where needed instead of having the Windows KDC say
"no such principal," and send/return all other requests to Windows for the
client. Obviously, the proxy will need the TGS keys for the Windows
realm. This is a last resort; I'm going mad badgering Microsoft for some
sort of solution to this. My outstanding request to them is whether they
can issue default referrals. I'm not expecting a positive answer.
I'm wondering whether anyone else has considered this, or (hoping against
hope), already implemented it?
I've considered using the KfW GSSAPI library with clients that support it
(Firefox, SecureCRT, etc.), but this is probably not a workable option for
us.
All comments welcome and appreciated,
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list