Problems with Kerberos authentication over internet

Tom Yu tlyu at MIT.EDU
Thu Jan 9 14:15:16 EST 2014


"arpit.orb" <arpit.orb at gmail.com> writes:

> Hi,
>
> I am using Kerberos over internet by assigning a public IP to KDC. However, I have following doubts:
>
> 1. Why is it that Kerberos is not deployed as preferred authentication mechanism over internet ? I understand that some reasons are vulnerability if KDC over port 88, address in tickets etc. But is there any other technical reason for which Kerberos should not be used over public network ?

I believe there is no technical reason the KDC can't be open to the
entire Internet.  Your organization's risk posture might dictate
otherwise.  Also, addresses in tickets haven't been the default for
many years.

> 2. Are there any known issues with and without VPN ? 

This seems to be a very general question.  Do you have some specific
scenarios in mind?



More information about the Kerberos mailing list