PPTP / L2TP with Kerberos -- what specs does it follow?

Ken Hornstein kenh at cmf.nrl.navy.mil
Sun Nov 30 00:42:39 EST 2014


>We would really like to understand better (and hopefully counter) this
>idea that KDCs should not be exposed to the public internet.

I can only offer my $0.02.

I have gotten this strong pushback from people who are running a KDC which is
part of their Active Directory server.  The idea of making the Active Directory
server reachable from the public internet is simply frightening to them.  I
got the impression that people get information from Microsoft that making
the AD server accessable to the public internet is a bad idea, but don't
quote me on that.

Actually, DO quote me on that.  I'll give you some references:

    http://technet.microsoft.com/en-us/library/dn509513.aspx

The key quote here:

    Domain controllers and AD FS servers should never be exposed
    directly to the Internet and should only be reachable through the
    VPN connection.

Also, I suspect that many AD administrators don't see the need; why
would you ever take a managed computer outside of the intranet?  They
don't view AD as a KDC implementation; they view it as "the Microsoft
authentication server", and to them there are only downsides to exposing
it to the Internet at large.  You could explain about the Kerberos
protocol to them until you're blue in the face (believe me, I've tried),
but they don't care and aren't interested in hearing about it.  If it's
you vs. the official Microsoft recommendation, you're going to lose.

I think that if you (by "you" I mean MIT) reached out to Microsoft and
got them to publish an official technote on their website saying that it
is safe to make the Kerberos bits of your domain controller accessable
from the Internet, that would go a long way toward solving this problem.

(The people I know who run an open-source KDC generally don't have a
problem making it available to the Internet; I don't know if that's
because that's more common in that world, a higher sophistication on
part of the administrators, or some other factor).

--Ken



More information about the Kerberos mailing list