service that communicates with different KDCs

Greg Hudson ghudson at MIT.EDU
Fri Nov 5 10:56:46 EDT 2010


On Thu, 2010-11-04 at 06:53 -0400, Ben wrote:
> The problem is that it's a webservice that
> possibly needs to communicate with different KDCs.

Kerberos services don't actually need to communicate with KDCs unless
they also act as Kerberos clients for some reason.

> Is it possible to allow this application to
> authenticate users from different KDC's.

Yes, this is possible.

> My main concern is that you need time synchronisation, which is quite
> difficult if multiple clients want to use their own KDC server.

One would hope that all of the KDCs are within a few seconds of the
correct time.





More information about the Kerberos mailing list