Kerberos proxy for implementing referrals - Kerberos

This is a discussion on Kerberos proxy for implementing referrals - Kerberos ; I'm considering the use of a Kerberos proxy, to solve the problem of being unable to do cross realm authentication though a Windows realm to an MIT one, due to Windows not issuing referrals for external realms. The proxy would ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Kerberos proxy for implementing referrals

  1. Kerberos proxy for implementing referrals


    I'm considering the use of a Kerberos proxy, to solve the problem of being
    unable to do cross realm authentication though a Windows realm to an MIT
    one, due to Windows not issuing referrals for external realms. The proxy
    would issue referrals where needed instead of having the Windows KDC say
    "no such principal," and send/return all other requests to Windows for the
    client. Obviously, the proxy will need the TGS keys for the Windows
    realm. This is a last resort; I'm going mad badgering Microsoft for some
    sort of solution to this. My outstanding request to them is whether they
    can issue default referrals. I'm not expecting a positive answer.

    I'm wondering whether anyone else has considered this, or (hoping against
    hope), already implemented it?

    I've considered using the KfW GSSAPI library with clients that support it
    (Firefox, SecureCRT, etc.), but this is probably not a workable option for
    us.

    All comments welcome and appreciated,

    --
    Richard Silverman
    res@qoxp.net


  2. Re: Kerberos proxy for implementing referrals

    Before you do this, you may want to look at "Trusted Domain Ojests"
    and "Globus Catalog" There may be a way to use the "netdom" command to:

    "Establish one-way or two-way trust relationships between domains,
    including the following kinds of trust relationships:
    ...
    The Windows Server 2003 or Windows 2000 Server half of an
    interoperable Kerberos realm."

    Google for netdom, trusted domain object or TDO, referral and cross realm
    or Google for "Domain and Forest Trust Tools and Settings"

    ( I have not tried this. But it looks like the netdom command could
    setup the TDO that is missing.)


    Richard E. Silverman wrote:

    > I'm considering the use of a Kerberos proxy, to solve the problem of being
    > unable to do cross realm authentication though a Windows realm to an MIT
    > one, due to Windows not issuing referrals for external realms. The proxy
    > would issue referrals where needed instead of having the Windows KDC say
    > "no such principal," and send/return all other requests to Windows for the
    > client. Obviously, the proxy will need the TGS keys for the Windows
    > realm. This is a last resort; I'm going mad badgering Microsoft for some
    > sort of solution to this. My outstanding request to them is whether they
    > can issue default referrals. I'm not expecting a positive answer.
    >
    > I'm wondering whether anyone else has considered this, or (hoping against
    > hope), already implemented it?
    >
    > I've considered using the KfW GSSAPI library with clients that support it
    > (Firefox, SecureCRT, etc.), but this is probably not a workable option for
    > us.
    >
    > All comments welcome and appreciated,
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Kerberos proxy for implementing referrals


    Thanks. I should have mentioned that I have also asked Microsoft about
    the various bits of netdom that seem as if they might work, e.g. netdom
    /addtln. But I will do some more research of my own.

    Another complication is that we have hosts in both Windows and MIT realms
    scattered thoughout the same DNS domains, so a simple domain-realm mapping
    will not work. We use DNS realm RR's (_kerberos.hostname) to effect this,
    and Windows has to somehow get the same info.

    - Richard

    > Before you do this, you may want to look at "Trusted Domain Ojests"
    > and "Globus Catalog" There may be a way to use the "netdom" command to:
    >
    > "Establish one-way or two-way trust relationships between domains,
    > including the following kinds of trust relationships:
    > ...
    > The Windows Server 2003 or Windows 2000 Server half of an
    > interoperable Kerberos realm."
    >
    > Google for netdom, trusted domain object or TDO, referral and cross realm
    > or Google for "Domain and Forest Trust Tools and Settings"
    >
    > ( I have not tried this. But it looks like the netdom command could
    > setup the TDO that is missing.)
    >
    >
    > Richard E. Silverman wrote:
    >
    >> I'm considering the use of a Kerberos proxy, to solve the problem of being
    >> unable to do cross realm authentication though a Windows realm to an MIT
    >> one, due to Windows not issuing referrals for external realms. The proxy
    >> would issue referrals where needed instead of having the Windows KDC say
    >> "no such principal," and send/return all other requests to Windows for the
    >> client. Obviously, the proxy will need the TGS keys for the Windows
    >> realm. This is a last resort; I'm going mad badgering Microsoft for some
    >> sort of solution to this. My outstanding request to them is whether they
    >> can issue default referrals. I'm not expecting a positive answer.
    >>
    >> I'm wondering whether anyone else has considered this, or (hoping against
    >> hope), already implemented it?
    >>
    >> I've considered using the KfW GSSAPI library with clients that support it
    >> (Firefox, SecureCRT, etc.), but this is probably not a workable option for
    >> us.
    >>
    >> All comments welcome and appreciated,
    >>

    >
    >


    --
    Richard Silverman
    res@qoxp.net

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Kerberos proxy for implementing referrals



    Richard Silverman wrote:

    >
    > Thanks. I should have mentioned that I have also asked Microsoft about
    > the various bits of netdom that seem as if they might work, e.g. netdom
    > /addtln. But I will do some more research of my own.
    >
    > Another complication is that we have hosts in both Windows and MIT realms
    > scattered thoughout the same DNS domains, so a simple domain-realm mapping
    > will not work. We use DNS realm RR's (_kerberos.hostname) to effect this,
    > and Windows has to somehow get the same info.


    Well, I think Windows KDC looks up the SPN in the forest and if not found, will
    then look for the TDO and the domain suffix.

    If you get this to work, please tell the list how you did it!

    >
    > - Richard
    >
    >> Before you do this, you may want to look at "Trusted Domain Ojests"
    >> and "Globus Catalog" There may be a way to use the "netdom" command to:
    >>
    >> "Establish one-way or two-way trust relationships between domains,
    >> including the following kinds of trust relationships:
    >> ...
    >> The Windows Server 2003 or Windows 2000 Server half of an
    >> interoperable Kerberos realm."
    >>
    >> Google for netdom, trusted domain object or TDO, referral and cross realm
    >> or Google for "Domain and Forest Trust Tools and Settings"
    >>
    >> ( I have not tried this. But it looks like the netdom command could
    >> setup the TDO that is missing.)
    >>
    >>
    >> Richard E. Silverman wrote:
    >>
    >>> I'm considering the use of a Kerberos proxy, to solve the problem of
    >>> being
    >>> unable to do cross realm authentication though a Windows realm to an MIT
    >>> one, due to Windows not issuing referrals for external realms. The
    >>> proxy
    >>> would issue referrals where needed instead of having the Windows KDC say
    >>> "no such principal," and send/return all other requests to Windows
    >>> for the
    >>> client. Obviously, the proxy will need the TGS keys for the Windows
    >>> realm. This is a last resort; I'm going mad badgering Microsoft for
    >>> some
    >>> sort of solution to this. My outstanding request to them is whether
    >>> they
    >>> can issue default referrals. I'm not expecting a positive answer.
    >>>
    >>> I'm wondering whether anyone else has considered this, or (hoping
    >>> against
    >>> hope), already implemented it?
    >>>
    >>> I've considered using the KfW GSSAPI library with clients that
    >>> support it
    >>> (Firefox, SecureCRT, etc.), but this is probably not a workable
    >>> option for
    >>> us.
    >>>
    >>> All comments welcome and appreciated,
    >>>

    >>
    >>

    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread