Kerberize Webserver outside our domain

Brian Candler B.Candler at pobox.com
Wed Dec 15 15:51:46 EST 2010


On Wed, Dec 15, 2010 at 08:44:09AM +0100, Andreas Bruckmeier wrote:
> we will set up a new domain in our office using a windows server with active
> directory and it´s Kerberos component.
> In a test environment we where able to kerberize a local webserver with
> mod_auth_kerb.
> Now I have the question if it is possible to also kerberize a public
> webserver standing outside our office, maybe with the webserver connected
> via VPN for KDC-connections.
> Is this possible

It should be OK.

Note that for normal client->server authentication, it's the client's
responsibility to talk to the KDC(s) to get the correct ticket: as I
understand it, the server doesn't have to talk to the KDC at all.

It may need to talk to the KDC when initially setting up the shared secret,
depending on how do this.  (If the web server is a Linux box you could get
the third party program css_adkadmin, or I think there are components of
Samba which can do it too)

> and is this the main purpose of the domain_realm mapping?

The main purpose of domain_realm is for working with multiple kerberos
realms. Because it's the client's responsibility to get the correct ticket
for talking to a host, it has to find out what realm that host is in first,
and then exchange tickets with intermediate KDC(s) as necessary.

That's another way to build it: have a KDC for a separate realm on the
"outside", and the service machines join that realm.  Then you set up
cross-realm trust between your internal AD realm, and your external realm
(which could be MIT Kerberos).  This could be worthwhile if you have lots of
machines on the outside.




More information about the Kerberos mailing list