IAKERB Starter Credentials Solution
Michael B Allen
ioplex at gmail.com
Sun Apr 27 08:53:43 EDT 2025
On Sun, Apr 27, 2025 at 1:48 AM Greg Hudson <ghudson at mit.edu> wrote:
> On 4/26/25 10:39, Michael B Allen wrote:
> > Another method would be to modify kinit to optionally authenticate with
> an
> > IAKERB-aware service and cache the resulting TGT in the usual way.
> >
> > More specifically, add an option to krb5.conf like:
> >
> > [libdefaults]
> > iakerb_idp = https://idp1.mega.corp/do/iakerb
>
> If the goal is simply to tunnel an AS/TGS exchange over https using a
> web server set up for that purpose, I think MS-KKDCP is a more natural
> fit than IAKERB. See:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/https.html
>
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/
>
Yes!
This is better. It's basically the same just more direct and apparently
already implemented.
Will the MITK gss initiators use the HTTPS proxy to get TGS tickets too?
That would dodge IAKERB entirely.
Thanks,
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>
More information about the Kerberos
mailing list