PPTP / L2TP with Kerberos -- what specs does it follow?
Frank Cusack
frank at linetwo.net
Fri Nov 28 04:42:15 EST 2014
On Fri, Nov 28, 2014 at 1:15 AM, Rick van Rein <rick at openfortress.nl> wrote:
> Hey,
>
> > There were numerous advantages to this approach for our environment,
> however we never deployed it. I should have written a brief paper at the
> time.
>
> You still may ;-)
>
> It would require a new SRV record, and it would confuse Kerberos clients,
> I suspect. But it’s an interesting angle.
>
IIRC, we were going to remove the traditional AS altogether. So a standard
client would need a TGT to start with (retrieved from the TGS, I don't
recall if this was a special case or just treated as an ordinary ticket)
and would only have to or be able to interact with the TGS.
Now I remember the primary advantage -- more extensibility and choices
(even dynamic) of initial authentication methods. But this also led to
follow-on advantages.
More information about the Kerberos
mailing list