IAKERB Starter Credentials Solution
Nico Williams
nico at cryptonector.com
Sun Apr 27 23:24:16 EDT 2025
On Sun, Apr 27, 2025 at 01:48:30AM -0400, Greg Hudson wrote:
> If the goal is simply to tunnel an AS/TGS exchange over https using a web
> server set up for that purpose, I think MS-KKDCP is a more natural fit than
> IAKERB. See:
That helps in this context mainly because the krb5 API has support for
prompting, whereas GSS does not. Well, and because the OS can use
MS-KKDCP out-of-band rather than the app having to use IAKERB in-band.
I think really what this means is that IAKERB for arquiring initial
credentials is mainly uninteresting.
Nico
--
More information about the Kerberos
mailing list