PPTP / L2TP with Kerberos -- what specs does it follow?

Frank Cusack frank at linetwo.net
Fri Nov 28 04:42:15 EST 2014


On Fri, Nov 28, 2014 at 1:15 AM, Rick van Rein <rick at openfortress.nl> wrote:

> Hey,
>
> > There were numerous advantages to this approach for our environment,
> however we never deployed it.  I should have written a brief paper at the
> time.
>
> You still may ;-)
>
> It would require a new SRV record, and it would confuse Kerberos clients,
> I suspect.  But it’s an interesting angle.
>

IIRC, we were going to remove the traditional AS altogether.  So a standard
client would need a TGT to start with (retrieved from the TGS, I don't
recall if this was a special case or just treated as an ordinary ticket)
and would only have to or be able to interact with the TGS.

Now I remember the primary advantage -- more extensibility and choices
(even dynamic) of initial authentication methods.  But this also led to
follow-on advantages.


More information about the Kerberos mailing list