PPTP / L2TP with Kerberos -- what specs does it follow?

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Sun Nov 30 13:57:04 EST 2014


> >    Domain controllers and AD FS servers should never be exposed
> >    directly to the Internet and should only be reachable through the
> >    VPN connection.
>
> This is a very general statement, and is too broad to conclude that the
> Kerberos5 p[ao]rt should be confined to a LAN.

Kerberos is not a complete identity solution. You would also need to expose the LDAP p[ao]rt which parcels out a few user attributes (name, email, something like an SID or UID/GID...) Otherwise you have to synchronize two pieces of an identity solution run by two different organizations/people.

My understanding is that most AD trusts involve much more than just Kerberos, are two way and are transitive. There's no middle ground between "isolated" and "at the mercy of all comers."

> The modern keyword “mobility” springs to mind… And of course “SSO” as a
> clinching argument for users…

Kerberos is not a good cross-organization SSO solution, and if you're not talking cross-organization, why are you talking about off-LAN operations? :) Nico's new PKCROSS draft may change that.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.



More information about the Kerberos mailing list