Can't use NAT

Alexandra Ellwood lxs at MIT.EDU
Fri Sep 27 13:46:01 EDT 2002

>Kerbeoros can be used with NAT if one of two things are done:
>  . the public address to the NAT device is added to the list of
>    addresses for which the ticket is valid.
>  . the tickets are requested without addresses

To clarify, the above refers to Kerberos v5 protocols.

For Kerberos for Macintosh, we recommend users add "noaddresses = 
true" to their [libdefaults] section of  This will 
request addressless Kerberos 5 tickets which work behind a NAT.

Unfortunately, you can't get addressless Kerberos 4 tickets, so 
Kerberos 4 protocols do not work behind a NAT.

You many find that some clients work erratically: some clients may be 
able to connect to some servers but not others.  This is because 
Kerberos 4 hashes the client and server addresses.  Sometimes the NAT 
address and the real address of the machine may happen to hash to the 
same value.  However, there is no way to make Kerberos 4 work 
reliably with all NATed clients and servers, so we typically tell end 
users that it doesn't work at all to save them the frustration.  I 
only mention this detail because some users will report that it works 
for them.  These users are getting lucky.

Protocols use GSSAPI and require channel bindings (such as some ftp 
servers) will also not work even if you have addressless Kerberos 5 
tickets because channel bindings contain IP address information.

Additionally, some protocols include their own copy of the host IP 
address.  These services will not work behind a NAT regardless of 
whether or not they use Kerberos.  An example that comes to mind is 

We are working on adding an FAQ about NATs to the Kerberos for Macintosh pages.

Hope this helps,

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list