1 / 6

Kerberos referrals

Kerberos referrals. Schedule. Refresh draft and publish before interim meeting Current date - December 20(tentative). Basic referral mechanism. Motivation Client config changes are not scalable MS deployments are heavily cross realm oriented Mechanism KDC issues referrals

tsantos
Download Presentation

Kerberos referrals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos referrals

  2. Schedule • Refresh draft and publish before interim meeting • Current date - December 20(tentative)

  3. Basic referral mechanism • Motivation • Client config changes are not scalable • MS deployments are heavily cross realm oriented • Mechanism • KDC issues referrals • Client chases referrals

  4. AS referrals • Client uses KRB-NT-ENTERPRISE in request • Client sets ‘canonicalize’ • KDC returns • KRB-NT-PRINCIPAL if name found • KDC_ERR_WRONG_REALM if referral • KDC_ERR_C_PRINCIPAL_UNKNOWN

  5. TGS referrals • Client sends TGS-REQ with ‘canonicalize’ • KDC returns TGS-REP • with service ticket if service found • Cross realm TGT if the service in another realm

  6. Issues • Referrals and canonicalization • Client name canonicalization issues • Possible issues with name based access control • Can only get canonicalization when authenticating

More Related