1 / 6

Maximizing Kerberos Referrals for Seamless Client Authentication

Learn about the basic referral mechanism in Kerberos, how KDC handles referrals, and how clients chase referrals to enhance authentication. Understand issues with client name canonicalization and potential problems with name-based access control. Ensure optimal Kerberos deployments and scalability.

tsantos
Download Presentation

Maximizing Kerberos Referrals for Seamless Client Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos referrals

  2. Schedule • Refresh draft and publish before interim meeting • Current date - December 20(tentative)

  3. Basic referral mechanism • Motivation • Client config changes are not scalable • MS deployments are heavily cross realm oriented • Mechanism • KDC issues referrals • Client chases referrals

  4. AS referrals • Client uses KRB-NT-ENTERPRISE in request • Client sets ‘canonicalize’ • KDC returns • KRB-NT-PRINCIPAL if name found • KDC_ERR_WRONG_REALM if referral • KDC_ERR_C_PRINCIPAL_UNKNOWN

  5. TGS referrals • Client sends TGS-REQ with ‘canonicalize’ • KDC returns TGS-REP • with service ticket if service found • Cross realm TGT if the service in another realm

  6. Issues • Referrals and canonicalization • Client name canonicalization issues • Possible issues with name based access control • Can only get canonicalization when authenticating

More Related