Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The meek are contesting the will.

devel / comp.protocols.kerberos / RE: Looking for a "Kerberos Router"?

SubjectAuthor
o RE: Looking for a "Kerberos Router"?Brent Kimberley

1
RE: Looking for a "Kerberos Router"?

<mailman.52.1710348858.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=504&group=comp.protocols.kerberos#504

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: Brent.Ki...@Durham.ca (Brent Kimberley)
Newsgroups: comp.protocols.kerberos
Subject: RE: Looking for a "Kerberos Router"?
Date: Wed, 13 Mar 2024 16:54:11 +0000
Organization: TNet Consulting
Lines: 60
Message-ID: <mailman.52.1710348858.2322.kerberos@mit.edu>
References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
<202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
<YT3PR01MB1054455091DF8A230B8C9D11BFA2A2@YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="16594"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Yoann Gini <yoann.gini@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=NKI8GI6D;
dkim=pass (2048-bit key,
unprotected) header.d=durham.ca header.i=@durham.ca header.a=rsa-sha256
header.s=selector2 header.b=XXiZMEny
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=Aqgi34UR9r4qBFiqoo9W5L3T48OuC5LEu3ebktCenJACMF1FmgpzsTsQaXNhy/iba0nmwLYU5H9TKGVxeUqGjg5KCPKhIJNJzkDPRwpg3ajcwEGKE/ltt+dusJERlg/aiQt6r2woJvm6mrGG8NZL/2z6/fTO8u1gn1GO9No27FhiIiipOczhdYg1kjINlAa1s9+tbnbrny4SFhAJQmooB8qTReqXDkuuEuQmimwbdRF9A/T5FfA7WVBYstwyMwrDsuhWzoyypzdZg3SVb8F055C94Xby84e7JqJWUy6lyOAQ2lMgKvjCAOj9xrIZFHtcA95eRMAQa3Ujq6tmj98z8w==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=yMMYmBMdC61J4JIW/0qyn1sYXnKyB60vEgSpMKHjOo4=;
b=VCln2gk3mEhI/BFLgw+OqaMA/oPkcUBR1wuFFDUmtbOM1KhpALyirqWVYn8x+LMK0CdqaChH0bcc2TXRLNLxJXs7jZlbJNEl8ufIx2FkHiAAqW2UEKZkwoWnV/EmqTsVhbR3gEHpkgpxdUQuJEKUQSaUPelGxB0BeuyB9JAOVF5u/cAGranVkxAZliH9A7f1tCMOwhC2zlV5Zve8Vmk6iwLAuKM3U5hxQufbjm9XrnoAhhahaAGnwl+6OEHA4SDuJtI5PR1nvxy/eNLMmftICyRFdw7xIki2azdn+kcqqlK/ofeTbiXgvxEfBsUQWdkuPCAO9CIOpbgT1wTJ3uOBzg==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
40.107.116.138) smtp.rcpttodomain=mit.edu smtp.mailfrom=durham.ca; dmarc=pass
(p=reject sp=none pct=100) action=none header.from=durham.ca; dkim=pass
(signature was verified) header.d=durham.ca; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=durham.ca] dkim=[1,1,header.d=durham.ca]
dmarc=[1,1,header.from=durham.ca])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=yMMYmBMdC61J4JIW/0qyn1sYXnKyB60vEgSpMKHjOo4=;
b=NKI8GI6DO2coAuG4VN84nH8K/B0+XPZAq0if7RarnFPG/dxpUmPru771QyZKleVMbsRHych7GezGalNIaXfMBberTh5r/v2yNw4Bh8GqZHFsbS1C30Lsfb0S/0HpMjajQn6O4HgvXAGZ7sFq6cIrFSIihFHfWXrE/iHWIBkMmD4=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=ViLzrD6s00TY3Ubzr23kIYu7LD82Uiw8ejIW3MGuOU6Q0OJTQ/U8Xo1gZPqdMXheaIk7oNGdOLgw1pIHV0QjMTxAQvpFp2uo/OMiCVmXNroAAyzg4X93qBUj3/Ie1BjP8eTOEYXNcuVja1jh7fLVs5tQimCR82mp87UtAAhDAny9C+wZ2JbEIQ3XJKwdXBzHKnQYtI2bvKsoyfSU+/tcAAFw5Ggtgehoole1tTMNh6JchubAqalHhGBU/9CafU9VnxXasRJ4sfeP0inAvp0HQ/GHG0u2eLC0a4MEepS5FUZKiNy81K0AWJpq3zzg42wlpS8adyWTk+Ybn8vPFhtWXA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=yMMYmBMdC61J4JIW/0qyn1sYXnKyB60vEgSpMKHjOo4=;
b=HMHPNP30eC4BCaY4ZTlKRl5QTroULHStjKzUjZH/2+UUbT8PSiRP/YG4BDwIbOWwXOprHiSqOTlppdJVLJFP93Um6kmHnPb7Wa+XmI7VWNRL5Eb+DoZ+RftpC550SKaXx2KVAcMqfe0iPM/osAaDmeUibxqmfW4qVenuG3ABPP9nPKXgawX8xwd/PxcwbwhC8O1Pzyxgf6bO+CmoZnbdbPw6LNw+YmZkNolbh8Isntc1PQq37iIR+nQWq5Y0CQ+WwqpQOnGb9RHmbfFCRudGFjYPYUZiwrYz3ZBT4Q25/Eicl3jSie2qEyvY6u8idxqEgiCNM8vBbrN25jaKBeynwQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
40.107.116.138) smtp.rcpttodomain=mit.edu smtp.mailfrom=durham.ca; dmarc=pass
(p=reject sp=none pct=100) action=none header.from=durham.ca; dkim=pass
(signature was verified) header.d=durham.ca; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=durham.ca] dkim=[1,1,header.d=durham.ca]
dmarc=[1,1,header.from=durham.ca])
Authentication-Results: spf=pass (sender IP is 40.107.116.138)
smtp.mailfrom=Durham.ca; dkim=pass (signature was verified)
header.d=durham.ca;dmarc=pass action=none header.from=Durham.ca;
Received-SPF: Pass (protection.outlook.com: domain of Durham.ca designates
40.107.116.138 as permitted sender) receiver=protection.outlook.com;
client-ip=40.107.116.138; helo=CAN01-YQB-obe.outbound.protection.outlook.com;
pr=C
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=a4ZEpIKWS6GJSiAs0SIsVV0J/eIYKr+LKzMHhmb9TjW7punErwt/Yru1SnWWG7dYwL49HcHBqmbETpNCvtrBHU6wii3W9/VE+oZ7dU0/7VZwUphGk4wfFxFlKMoTKl+86VyjFsTj8QT5QsM0RzLS6saMlGXZk5zmlsPjQpnTMyJpmK76Q1Cg22nI8CYfFSUvpBD1qxTA0RpDr3t8w2VNmNPjmX1+rlhV+cJ30E7RYpyrBWFYeeD/3hnZvrVuFgWr928S3cjFeflCOHFbxHPlieAGb6lKxzYzcSazq6ud/vL8Op3G9qrGXChkXqmvOmmXlMOJRKg60ERh+WO8aU7u1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=yMMYmBMdC61J4JIW/0qyn1sYXnKyB60vEgSpMKHjOo4=;
b=jIsPJVgxJuWCv9K6bv7CRmBWEgyY3D2MIW+wcravNcdRQdbnT0cYZ0c8M91Cca62ZT7RZqa8j163l78+Y5EPPshp+VMoiDmlfMYxEhiUSqMVwp8NV/LjlV9mqp8bGW1SWOamj3B/oGvXcGHo/IO18REDe9jC2ujtFTH3eA3hLAskuTsANIqwYFHLa1gmIAkkaD7PrrfD2La2sxmPlg3KKKUebkL6divRUuZNkRmeIo8My98mThRC3sQ3OGjzZetnzemwPs4jXcsrm0slvpvQFSy3GlCjbYgTQcleWMg0paR6PcyeR9aXBRMDta7CJGRiNxtmT7abEr8E6xxn+Z2slQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=durham.ca; dmarc=pass action=none header.from=durham.ca;
dkim=pass header.d=durham.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=durham.ca; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=yMMYmBMdC61J4JIW/0qyn1sYXnKyB60vEgSpMKHjOo4=;
b=XXiZMEnylP88xRsWbo+gQB2nlQsng16KPDR4G3nC4V1gl3yjh61ko5YMB87vwAB27bHYPVHuW/+QCcMv2kxBBj3Pq4H6phvqeS91UqcE6U7ATix/UXzu/EPCibuaPfdghx84weXldmTOZYBugbRWmqTktvU5ZCvKIEo2eEZQPM7vD3h2otaVbEoH47wIng4u5zN8Sh91JSi3oRBCDvg5nuYeOE8D4BlAz28tI6+4bOzuVCQ684sF538PHfg/CPgNVWT6HOHheBAn/iDWSA6TL26Sj75QVMZADUHfEZvAaIEpR4jVLhl5C7YMWxSiTHVrhvYrF3lR6eMcSSu5MDpAIQ==
Thread-Topic: Looking for a "Kerberos Router"?
Thread-Index: AQHadTxi3M7GgqqfNUaLGiclCkOnl7E1t5mAgAABXgCAAAi0gIAAAI4AgAADnoCAAA9ngIAABVKAgAAH1EA=
In-Reply-To: <202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=Durham.ca;
x-ms-traffictypediagnostic: YT3PR01MB10544:EE_|YT1PR01MB9273:EE_|MN1PEPF0000ECDB:EE_|BL3PR01MB7177:EE_
X-MS-Office365-Filtering-Correlation-Id: e582d050-d2ce-4b87-97e2-08dc437e3629
x-ms-exchange-senderadcheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: cGYZsNCdQE5xFEKcEVade/+o6Rbwn0+L3oN3MzkqKi3v8H8B3+O/OcywjjWjLZchlXx70GWYoMhVzfIVGxhk+ZOc+PcuIJn+h9dbjgHdy4Rn0GO1CVDYpWHSf7rxu9MaN59sozRFnlIJlsTBHUOtE4S7KZruJp1WTroTwlCnGDIeJ2r+1RMMrECivOHUBezP82+ns9jI9q7DnOqlAAbe9BX1g5ngWcX8WltMpKSCt34KIPJeVEnm9v/MpCoAr+/Lf/RUqFPSmZR3MmQMbE3EiJLdYU7ZnR5O3XeltyJiDtWcmyj/Wurszc+qn4EB/0/zVaUTni/3ltb4nmxylikGG28j0kCQ/UVV3LDoN4La2pFSe5ATTupgz+fBdgBIQwpPiMjd8HT3UpeUJDAzmpj77MKrw8uhTsTZJBQYVjtgD1B70pDGcAV4wYQXuCK6vlSGvOJu7yi2mOHtRxAijm3gd1JvL6aZmvheBPYWSfzdpF8x+ESpEEbKsIWY4tnZW92H/Fq6dFQnqlU3CIbMIyUVAcR8H9gmbRL9TnmcbYqx8ZkXsHs+PQQ53/23DygR98YSGAlzUZhgAN+4yL82DnDXUudS0s2kE1l9EJ3c+yepYocApdGu8KeJUKVHWH5mpjfV8V+d+/IQl3PIitkyljFwsBDMJPzbFPWk8IBsET5ut4k=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM;
PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(38070700009); DIR:OUT;
SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: l7nuf4PMPSMcY60GRgrQbnbnW7RCxIKCIpH+RFEY3zNKzADnKuSB+F7zfIqm
7oTvmsL5wmP4AOMttVT5ZC+K8Kxm9ODO7m9oWY2IprNGpKkE1aXAPvdIKduE
ZiR5V1ZOa2nvn2sMK+nn2YZ+lePoh4I5wzOIqzGpdLkESyQwjGWH0XOCWiuH
XzrnDaFk61d8ueyF3MeGcgorz401oKBEq/6IEhauO2fhvsQWuQmBMowAGaOd
QGxQ/AtIHy9I95m2tC1c+YQX9HN7W7oDBBtdyHeCCiARdilXd0nSoy80g57d
djUkO23YOG2Ptlgvbh22LCkjhlRUt1HGAEHOh16yojXnXKsahF3DLGcjQES9
dQgxrAlse3BCAaaaLfyk856WLbJT2SbjpiHkp86g4bcc7ujEeKJ87idEDgpq
VQ8/VFD1IUy0IfiDoTkdoe7NUrzF7UKULr33/pqqFTtLTxBJuxKZE221NDVO
GUjE35t09165olGbr2ybbsfM38+pdbwayLX98KTKR6Tf14uZgIFY089G4b5k
EuVvja9RRgH85Wc7Yek3Zi15y1WDolg7/tOBknMBAFNUlWhd0oYd1fEn3F1p
ul3PZ+gAWyAzS8S58efnmwxd8iYcG5kLhf035atzrqEfxv0hEbp8I99KDoBv
OmZvGn8KraVNxbVq8Fb7/iNJRmjTCsYhtKF7dcpWt4ZwTiR12WG9FaAjGEky
xp80LtfzfVVFaVO1kJmzWa9kq+5NF4cv5Bgz/kZK9OEvIMLgTPpX6IbOIVtT
3vaB8uWVUYX50KzslIJByOZbojF5h+s8UMwpLDE45Vc3dsXRSju1pk9x/gyu
PtHqOOSFQFvXO/m0b7e/w72YQnAsByOhMwt/TJm7Nta/YgJp4yoR4qXtOPSt
BimYulpioNY+LgzhMskLizd2hW4seKxfUT5tLojonEGsrqj2UMF9xoWLr0M4
0o17HFy/cFAdebUmiyPyC/bLTUPjSDG1D/pfyL5a12ZnBvepwTjOvRlpUq/X
9l7EAXKrpr/INyljNl3JhizXuF4VcQFgHn9462Zzqr71sZD0GE0tmHEfsqM3
0M+D4foJHr25M9JYiwamgCokorKvBmDMmiShnoFXa8D2eYqnCKRNmKcgLVFl
MD4Tot5/FgIuOhAu0UIxb6lIbgPk/B34IpIdXxaBF8fT6UKqzBrMBtLe0Tj7
wv5h/aJplwXvyEvoyWp31GiyXW8rqBy72622uYhzyv656MyYRqf7/9LtwjRq
yxHaCULEzSS5h5kHyzkBAHuxIXLmD70k+353ygPNpcvLTtj6te0ONS5XV85T
9Q4Z4mnzrL2zfZ6sF/1PbXAaQ9F29pkqjP4iBA0aiOcABThAtsWc0Mpn6bb2
VkwrlHjJybLEtXuG+JlYPN4kcIyYjcT6StznYkQKeG4eqBJySXjyCPaYSFtK
0Jxd7ODiL9D0zlo7jP25fDvZdqj/rwaX3JLaHPIAcK6635VL56DIpCrFfpR9
OmmRtfZqP5dHdzqLDHZx9bt4dK6u3Ym8kSw9TBFzqzPSCs7kZRopnCZ1pydx
R44dfkjAIraDzQiVH2yQV2rTXwlieH5wo2YKaGy7vjKqPbAbXTQJ6r5ztxT1
gw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT1PR01MB9273
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MN1PEPF0000ECDB.namprd02.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: MN1PEPF0000ECDB.namprd02.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 9b357541-0995-41b1-d1e4-08dc437e351e
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OEEQf/HGo90yiFTEwWiDjImSQ1ocvUrilO2yXl9zx0CfaEQsdkvkgaOzo5TtjfHRFa/XFdYxA0yVzuQYmkm3iUj1rtzo/5NVw7fzdD6tPf1u1NZ9Zw4Am4scG9955XTLIT8Mcf13LJdf2kZAsSzQCi+VOJeyNepq8+N5J8VGm/jf6YeoMwwlwi3Ue9ToVdWS0FqipfeV2S+AZ35TXjd7M/lpakL7ofXTGthAYWCKJvUoH/jn1u8rGYWfjwsG2w1rmfx0vVU7oY5uS+zwcC5LB9HhdoZhaS/s6bprdBzNSJ4jvdsQZZhSrU5lNWD41vi/KExdzGoEo0g5FWcRO0Cpi2f9uHoWMEbxi1UTLuoX8/kPSQOks/vP3NtcxA11s8Qj8EeiCErol/kWLg1O3oOf7DgEnFo+PFJdlaMZ0hrWXn9cUS/3la1IvovODFcJwrKQIu/izw9RUXVw/YHaOpcYhppRx4U8l8ErN8D4RzO8dBnY2MTtk2CsUwIMHQCo4Bz3Bdra/2SiqvQOEfBZ1ls5cc1MCNSa2f9z86Ix6JrnxeVUt8SFXqamnGJhFlMnF2hIbvyp7hzW5mknUv2ug83avggU3xUabMROAA/qh5zOxYgd3cQCKXP42Iuyh23+sFBfgHJ2mJvL5nqBAHduA1r5MyBVLnGivUSkoB+6xiPNEZ2LsstxVpQkhoykW6+EBrOe
X-Forefront-Antispam-Report: CIP:40.107.116.138; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:CAN01-YQB-obe.outbound.protection.outlook.com;
PTR:mail-yqbcan01on2138.outbound.protection.outlook.com; CAT:NONE;
SFS:(13230031)(376005)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 16:54:13.1997 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e582d050-d2ce-4b87-97e2-08dc437e3629
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000ECDB.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR01MB7177
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
42DGsFEn1456712
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <YT3PR01MB1054455091DF8A230B8C9D11BFA2A2@YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM>
X-Mailman-Original-References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
<202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
 by: Brent Kimberley - Wed, 13 Mar 2024 16:54 UTC

[MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protoco
https learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38?source=recommendations

1 Introduction
The Kerberos Key Distribution Center (KDC) Proxy Protocol (KKDCP) is used by an HTTP-based KKDCP server and KKDCP client to relay the Kerberos Network Authentication Service (V5) protocol [RFC4120] and Kerberos change password [RFC3244] messages between a Kerberos client and a KDC.
Note Throughout the remainder of this specification the Kerberos Network Authentication Service (V5) protocol will be referred to simply as Kerberos V5. Kerberos Network Authentication Service (V5) protocol [RFC4120] and Kerberos change password [RFC3244] messages will be referred to simply as Kerberos messages.
Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.

2.1 Transport
Messages are transported by using HTTP POST as specified in [RFC2616]. These messages are sent via Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) by default. The URI uses the virtual directory /KdcProxy unless otherwise configured. The body of the HTTP message contains the KDC_PROXY_MESSAGE (section 2.2.2).
KDC proxy messages are defined using Abstract Syntax Notation One (ASN.1), as specified in [X680], and encoded using Distinguished Encoding Rules (DER), as specified in [X690] section 10.

2.2 Message Syntax
KKDCP does not alter the syntax of any Kerberos messages.

2.2.2 KDC_PROXY_MESSAGE
This structure is a KDC proxy message that contains the Kerberos message to be proxied and optional information for DC location at the KKDCP server.

KDC-PROXY-MESSAGE::= SEQUENCE {
kerb-message [0] OCTET STRING,
target-domain [1] KERB-REALM OPTIONAL,
dclocator-hint [2] INTEGER OPTIONAL
}
kerb-message: A Kerberos message, including the 4 octet length value specified in [RFC4120] section 7.2.2 in network byte order.
target-domain: An optional KerberosString ([RFC4120] section 5.2.1) that represents the realm to which the Kerberos message is sent, which is required for client messages and is not used in server messages. This value is not case-sensitive.
dclocator-hint: An optional Flags ([MS-NRPC] section 3.5.4.3.1) which contains additional data to be used to find a domain controller for the Kerberos message.

5.1 Security Considerations for Implementers
Because KKDCP is typically used in the Internet, messages are only protected when HTTPS is used, and the KKDCP server's certificate is valid. When using HTTP, the KKDCP client is sending clear text Kerberos messages, which are vulnerable to attacks discussed in Kerberos V5 ([RFC4120] section 10), unless FAST [RFC6113] is used.

When the KKDCP server relays messages from Internet KKDCP clients to the KDC, it opens unauthenticated access to the KDC from the Internet, unless TLS client authentication is required. KKDCP servers can also provide some level of protection by only relaying valid Kerberos messages, and by throttling messages. KKDCP servers open KDCs to the Internet, exposing them to denial-of-service attacks (using Kerberos messages) that were previously only possible via other authentication protocols, such as NTLM.

-----Original Message-----
From: Kerberos <kerberos-bounces@mit.edu> On Behalf Of Ken Hornstein via Kerberos
Sent: Wednesday, March 13, 2024 12:22 PM
To: Yoann Gini <yoann.gini@gmail.com>
Cc: kerberos@mit.edu
Subject: Re: Looking for a "Kerberos Router"?

[You don't often get email from kerberos@mit.edu. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

>Looking at Apple documentation I see the support for something I had
>never heard of: Kerberos Key Distribution Center Proxy.
>
>Looks like a solution to encapsulate Kerberos requests into an HTTPS.
>
>Any experience on this here?

I personally have not used that, but I know that MIT Kerberos supports that (as far as I can tell, that protocol exists just because firewall people are dumb, but that's neither here nor there). That contains a wrapper ASN.1 structure which has the target realm in it so you could use that for routing (although the target domain is listed as an optional element to the KDC_PROXY_MESSAGE so that suggests to me you can't rely on it). So you're still going to have to write code to parse an ASN.1 structure to do backend routing.

It does occur to me that maybe if you have different KDC hostnames but the same IP address you could use TLS SNI or hostname routing which you indicated you already use and maybe that would be simpler? That presumes the client implementations set the SNI field (I see that it does send a "Host" header, and it looks like MIT Kerberos does set the SNI hostname).

--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor