Split IAKERB for local KDCs cross-realm setup?
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 28 15:31:13 EDT 2025
On Пят, 28 сак 2025, Nico Williams wrote:
>On Fri, Mar 28, 2025 at 09:01:33PM +0200, Alexander Bokovoy via krbdev wrote:
>> > That said, I don't have any evidence that IAKERB is being used in the
>> > environment it was designed for.
>>
>> My understanding is that at least Microsoft is not planning to apply any
>> additional logic to limit/handle local KDC knowledge beyond the basic
>> realm discovery. This comes from my discussion with Steve Syfuhs.
>> However, this also means that as long as the initiator logic we discuss
>> in this thread is based on the already existing
>> KRB_AP_ERR_IAKERB_KDC_{NO_RESPONSE,NOT_FOUND} messages, it would be
>> compatible, at least at the cost of possible KDC locator timeouts.
>
>Hmmm, well, if you've seen how "fun" it is to configure BYOD VPN access
>w/ Negotiate for apps and also for web proxies then I think one should
>prepare for having to add bandaids for painful situations.
>
>E.g., the iOS HTTP stack will acquire Kerberos credentials upon 401 but
>not upon 407, so 407s when you already have credentials work but if you
>don't already have credentials or they're expired then 407s fail.
>
>I could see the need to be able to deal with complex realm KDC access
>policies.
>
>Where's the latest IAKERB I-D?
I believe we are still at draft-ietf-kitten-iakerb-03, the latest
discussion was this thread on the kitten@:
[kitten] Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
in 2023 (https://mailarchive.ietf.org/arch/msg/kitten/VLOAFb4Furo4T4nr88FNrjXG6Gw/).
I haven't seen any update to 03 in the
https://github.com/kittenwg/iakerb, though.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the krbdev
mailing list