1 / 6

Kerberos Referrals Mechanism: Addressing Scalability and Cross-Realm Challenges

Explore the basics and issues of Kerberos referrals system, covering client configuration, KDC functions, and cross-realm TGT challenges. Learn about the client's chase for referrals and canonicalization issues. Discover solutions for scalability and access control challenges.

marvin-richardson
Download Presentation

Kerberos Referrals Mechanism: Addressing Scalability and Cross-Realm Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos referrals

  2. Schedule • Refresh draft and publish before interim meeting • Current date - December 20(tentative)

  3. Basic referral mechanism • Motivation • Client config changes are not scalable • MS deployments are heavily cross realm oriented • Mechanism • KDC issues referrals • Client chases referrals

  4. AS referrals • Client uses KRB-NT-ENTERPRISE in request • Client sets ‘canonicalize’ • KDC returns • KRB-NT-PRINCIPAL if name found • KDC_ERR_WRONG_REALM if referral • KDC_ERR_C_PRINCIPAL_UNKNOWN

  5. TGS referrals • Client sends TGS-REQ with ‘canonicalize’ • KDC returns TGS-REP • with service ticket if service found • Cross realm TGT if the service in another realm

  6. Issues • Referrals and canonicalization • Client name canonicalization issues • Possible issues with name based access control • Can only get canonicalization when authenticating

More Related