Kerberos dev project for review: domain_realm mapping via KDCreferral

Ken Raeburn raeburn at MIT.EDU
Tue Apr 29 16:04:13 EDT 2008

On Apr 29, 2008, at 15:45, Tim Alsop wrote:
> I am wondering why this feature not being described in an IETF  
> draft, so
> that other non-MIT clients can be interoperable with MIT KDC and other
> KDCs can have this feature added to be interoperable with MIT  
> clients ?

This is an implementation of a limited form of the KDC-side support  
for the referrals draft.  Limited, in that its only source of data is  
the domain_realm mapping so it can't differentiate by individual  
principal names or service names, it'll only work in TGS exchanges, it  
doesn't support referrals that tell the client to look up a different  
server name, etc.  But it should handle some of the most common cases,  
and works to simplify client-side configuration (in the MIT  


More information about the krbdev mailing list