Looking for a "Kerberos Router"?
Yoann Gini
yoann.gini at gmail.com
Wed Mar 13 12:32:18 EDT 2024
> Le 13 mars 2024 à 17:21, Ken Hornstein <kenh at cmf.nrl.navy.mil> a écrit :
>
> It does occur to me that maybe if you have different KDC hostnames but
> the same IP address you could use TLS SNI or hostname routing which
> you indicated you already use and maybe that would be simpler? That
> presumes the client implementations set the SNI field (I see that it
> does send a "Host" header, and it looks like MIT Kerberos does set the
> SNI hostname).
This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
I will give it a try, it looks like the option I need here.
And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…
More information about the Kerberos
mailing list