PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein rick at openfortress.nl
Sun Nov 30 05:09:22 EST 2014


Hi,

I was also surprised about the fear of opening a KDC up to the public, but...

> The idea of making the Active Directory
> server reachable from the public internet is simply frightening to them.

…in this specific vendor case I can imagine.  The closedness of the code,
combined with the track record of this particular vendor in security matters
would make me think again.  That is perhaps FUD-based reasoning.

>    http://technet.microsoft.com/en-us/library/dn509513.aspx
> 
> The key quote here:
> 
>    Domain controllers and AD FS servers should never be exposed
>    directly to the Internet and should only be reachable through the
>    VPN connection.

This is a very general statement, and is too broad to conclude that the
Kerberos5 p[ao]rt should be confined to a LAN.

> Also, I suspect that many AD administrators don't see the need; why
> would you ever take a managed computer outside of the intranet?

The modern keyword “mobility” springs to mind…
And of course “SSO” as a clinching argument for users…

-Rick


More information about the Kerberos mailing list