Peer to Peer instead of Client to Server

Jeffrey Hutzelman jhutz at
Mon Apr 7 15:00:55 EDT 2008

--On Monday, April 07, 2008 01:30:42 PM -0500 "Douglas E. Engert" 
<deengert at> wrote:

> This sounds like user2user. DCE had it and Windows has had it for
> years. There where some IETF Kerberos and GSSAPI drafts written
> by Microsoft, but never caried forward. Globus could do it through
> GSSAPI, using its GSI and there where mods to Kerberos to support
> user2user so Globus could call GSSAPI/Kerberos.

Kerberos does U2U; see RFC4120 section 3.7 for details.

However, it's not clear to me that this application requires U2U, the main 
feature of which is that it permits authentication to a "server" which has 
a current TGT but does not know its long-term key.  In the described 
application, the servers all have keytabs and currently do not run with 
tickets, so U2U really doesn't apply here.

-- Jeff

More information about the krbdev mailing list