Kerberos referrals
-
Upload
marvin-richardson -
Category
Documents
-
view
15 -
download
0
description
Transcript of Kerberos referrals
Kerberos referrals
Schedule
• Refresh draft and publish before interim meeting
• Current date - December 20(tentative)
Basic referral mechanism
• Motivation– Client config changes are not scalable– MS deployments are heavily cross realm
oriented
• Mechanism– KDC issues referrals– Client chases referrals
AS referrals
• Client uses KRB-NT-ENTERPRISE in request
• Client sets ‘canonicalize’
• KDC returns– KRB-NT-PRINCIPAL if name found– KDC_ERR_WRONG_REALM if referral– KDC_ERR_C_PRINCIPAL_UNKNOWN
TGS referrals
• Client sends TGS-REQ with ‘canonicalize’
• KDC returns TGS-REP– with service ticket if service found– Cross realm TGT if the service in another
realm
Issues
• Referrals and canonicalization
• Client name canonicalization issues– Possible issues with name based access
control– Can only get canonicalization when
authenticating