Kerberos outside the firewall

Nordgren, Bryce L -FS bnordgren at
Tue Dec 2 13:45:59 EST 2014

> But if one understands the protocols involved, one gets very dubious
> about the idea that exposing the file servers is safe and exposing Kerberos is
> not.

Ah, that's the problem.

Here, anyway, the model where "one" person/entity makes self-consistent decisions concerning the entire enterprise IT stack is flawed. The CIO is responsible for the corporate identity store and the end users are currently responsible for all collaboration IT (from ISP to DHCP/DNS to OS to applications, all the while "pinky swearing" that we will obey all applicable regulations, whatever they might be.) Absolutely no one holds the position you just expressed.  That's just the inevitable result  of bad policies which require regular exceptions for the organization to function.

We're making progress in terms of getting a CIO managed collaboration network, but so far we've only got buy in from the enterprise network team, and not the identity management team. It will take both of these teams ganging up on the enterprise security team to get any kind of traction on exposing Kerberos IDs. If this kind of fragmentation is common elsewhere, it may explain why railing against a lack of understanding has not worked. You need some serious motivation (i.e., pushback) to overcome this kind of inertia.

Or, "go with the flow" and just adapt the corporate IDs that they do publish. Depends on how fond of pain you are, I guess. :) May not be ideal, but it's better than nothing.


This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

More information about the Kerberos mailing list