Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT Kerberos
Osipov, Michael
michael.osipov at siemens.com
Wed Mar 15 11:39:49 EDT 2017
> On 03/15/2017 10:56 AM, Osipov, Michael wrote:
> >> * The host-based service referrals mechanism also seems promising, and
> >> you're certainly running a new enough version of Kerberos to
> accommodate
> >> it. I have not personally used it (yet), but it maintains security
> >> whereas the DNS lookup mechanism does not.
>
> > This applies only if your KDC is MIT Kerberos. All of our KDCs
> > are Active Directory servers. We use MIT Kerberos for only for clients.
>
> Referrals were actually implemented first by Microsoft and later by us.
> The KDC does have to know when to issue a referral to another realm for
> a service principal, and I don't know whether it's possible to configure
> that to happen across forests in Active Directory.
So there is basically no way to tell MIT Kerberos if you home realm is
unable to route the request, it should try other realms, correct?
Michael
More information about the Kerberos
mailing list