Implementation of Crossrealm Referral Handling in the MIT Kerberos Client
نویسندگان
چکیده
The Windows 2000 Kerberos implementation [1, 2] uses a di erent approach to solve the Kerberos realm resolution problem than has traditionally been used by MIT Kerberos implementations. In this paper, we present the details of the two approaches and compare them. To facilitate more e ective use of the Kerberos ticket cache, we propose a new format for referral data that includes a list of alias names as part of the returned referral information. We include the pseudocode for the algorithm that we have implemented in the MIT Kerberos client that allows a MIT Kerberos client to request and follow referrals from a Windows 2000 Kerberos KDC, thus removing the need for management and administration of DNS to realm mapping les on Kerberos client hosts. We conclude with a discussion of issues that are applicable to any mutual authentication protocol.
منابع مشابه
XKDCP: An Inter-KDC Protocol for Dependable Kerberos Cross-Realm Operations
The wide popularity of Kerberos made it the de-facto standard for authentication in enterprise networks. Moreover, the lightweight nature of Kerberos makes it a candidate of choice for securing network communications in emerging non-enterprise information systems such as industrial control networks, building automation and intelligent transportation systems. Many of these potential applications...
متن کاملKerberos Working Group
The draft documents a method for a Kerberos Key Distribution Center (KDC) to respond to client requests for Kerberos tickets when the client does not have detailed configuration information on the realms of users or services. The KDC will handle requests for principals in other realms by returning either a referral error or a cross-realm TGT to another realm on the referral path. The clients wi...
متن کاملRFC 6806 KDC Referrals
This memo documents a method for a Kerberos Key Distribution Center (KDC) to respond to client requests for Kerberos tickets when the client does not have detailed configuration information on the realms of users or services. The KDC will handle requests for principals in other realms by returning either a referral error or a cross-realm Ticket-Granting Ticket (TGT) to another realm on the refe...
متن کاملKerberos with Clocks Adrift: History, Protocols, and Implementation
We show that the Kerberos Authentication System can relax its requirement for synchronized clocks, with only a minor change which is consistent with the current protocol. Synchronization has been an important limitation of Kerberos; it imposes political costs and technical ones. Further, Kerberos' reliance on synchronization obstructs the secure initialization of clocks at bootstrap. Perhaps mo...
متن کاملKerberos Security With Clocks Adrift: History, Protocols, and Implementation
We show that the Kerberos Authentication System can relax its requirement for synchronized clocks, with only a minor change which is consistent with the current protocol. Synchronization has been an important limitation of Kerberos; it imposes political costs and technical ones. Further, Kerberos' reliance on synchronization obstructs the secure initialization of clocks at bootstrap. Perhaps mo...
متن کامل