PPTP / L2TP with Kerberos -- what specs does it follow?
Rick van Rein
rick at openfortress.nl
Sun Nov 30 05:09:22 EST 2014
Hi,
I was also surprised about the fear of opening a KDC up to the public, but...
> The idea of making the Active Directory
> server reachable from the public internet is simply frightening to them.
…in this specific vendor case I can imagine. The closedness of the code,
combined with the track record of this particular vendor in security matters
would make me think again. That is perhaps FUD-based reasoning.
> http://technet.microsoft.com/en-us/library/dn509513.aspx
>
> The key quote here:
>
> Domain controllers and AD FS servers should never be exposed
> directly to the Internet and should only be reachable through the
> VPN connection.
This is a very general statement, and is too broad to conclude that the
Kerberos5 p[ao]rt should be confined to a LAN.
> Also, I suspect that many AD administrators don't see the need; why
> would you ever take a managed computer outside of the intranet?
The modern keyword “mobility” springs to mind…
And of course “SSO” as a clinching argument for users…
-Rick
More information about the Kerberos
mailing list