Split IAKERB for local KDCs cross-realm setup?

[Nico Williams]

On Fri, Mar 28, 2025 at 09:01:33PM +0200, Alexander Bokovoy via krbdev wrote:
> > That said, I don't have any evidence that IAKERB is being used in the
> > environment it was designed for.
> 
> My understanding is that at least Microsoft is not planning to apply any
> additional logic to limit/handle local KDC knowledge beyond the basic
> realm discovery. This comes from my discussion with Steve Syfuhs.
> However, this also means that as long as the initiator logic we discuss
> in this thread is based on the already existing
> KRB_AP_ERR_IAKERB_KDC_{NO_RESPONSE,NOT_FOUND} messages, it would be
> compatible, at least at the cost of possible KDC locator timeouts.

Hmmm, well, if you've seen how "fun" it is to configure BYOD VPN access
w/ Negotiate for apps and also for web proxies then I think one should
prepare for having to add bandaids for painful situations.

E.g., the iOS HTTP stack will acquire Kerberos credentials upon 401 but
not upon 407, so 407s when you already have credentials work but if you
don't already have credentials or they're expired then 407s fail.

I could see the need to be able to deal with complex realm KDC access
policies.

Where's the latest IAKERB I-D?

Nico
--