Is there a "CApath" concept in AD/DC?
Rick van Rein
rick at openfortress.nl
Fri Apr 17 09:52:03 EDT 2015
Hello,
MIT krb5 features a "CApath" setting through which an external party can
help to find a path to realms that are not locally configured /
crossed-over. Does Windows AD/DC have a similar feature, and how is it
setup?
For MIT krb5 I believe it's not possible to relay anything unknown
through CApath (but an option may be the . realm) -- but would this work
on AD/DC?
With this, crossover based on DNSSEC/DANE could be implemented in a
component external to the binaries of AD/DC, making the chances of
acceptance quite a bit higher.
Thanks,
-Rick
More information about the Kerberos
mailing list