Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT Kerberos

Greg Hudson ghudson at mit.edu
Wed Mar 15 11:37:43 EDT 2017


On 03/15/2017 10:56 AM, Osipov, Michael wrote:
>> * The host-based service referrals mechanism also seems promising, and
>> you're certainly running a new enough version of Kerberos to accommodate
>> it.  I have not personally used it (yet), but it maintains security
>> whereas the DNS lookup mechanism does not.

> This applies only if your KDC is MIT Kerberos. All of our KDCs
> are Active Directory servers. We use MIT Kerberos for only for clients.

Referrals were actually implemented first by Microsoft and later by us.
The KDC does have to know when to issue a referral to another realm for
a service principal, and I don't know whether it's possible to configure
that to happen across forests in Active Directory.


More information about the Kerberos mailing list