Message-ID:

Make it idiot-proof, and someone will breed a better idiot. -- Oliver Elphick

devel / comp.protocols.kerberos / Re: Looking for a "Kerberos Router"?

Re: Looking for a "Kerberos Router"?

<mailman.54.1710357410.2322.kerberos@mit.edu>

https://www.novabbs.com/devel/article-flat.php?id=506&group=comp.protocols.kerberos#506

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: paulcay...@yahoo.com (Paul Cayley)
Newsgroups: comp.protocols.kerberos
Subject: Re: Looking for a "Kerberos Router"?
Date: Wed, 13 Mar 2024 19:16:36 +0000 (UTC)
Organization: TNet Consulting
Lines: 134
Message-ID: <mailman.54.1710357410.2322.kerberos@mit.edu>
References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
<202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
<YT3PR01MB1054455091DF8A230B8C9D11BFA2A2@YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM>
<79304367.4333091.1710357396720@mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="10244"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
To: Brent Kimberley <Brent.Kimberley@Durham.ca>,
Ken Hornstein <kenh@cmf.nrl.navy.mil>, Yoann Gini <yoann.gini@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=BvRtGsWp;
dkim=pass (2048-bit key,
unprotected) header.d=yahoo.com header.i=@yahoo.com header.a=rsa-sha256
header.s=s2048 header.b=B7Yv8l6l
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=WHQwv/qHsRBAcojOqneSf/obtYIOyw4ZrABcnZBj+clFsxuFXG5dd71YT8r09lUUtC+79D/oUZEmPfLphq14WZKdc+RlaatIvloSItDMB5HAbMmnmiieadvKRJhXM8WehX/CWjeqkblDiF6kvEMpP1t8OcbXtlXOim64VeVVniY74od7onFO8H9aPnCUnL4vR5ZWgDjY4uIvvikFE0BAAfZd1GDATfYJTxP39XParn8+lS7Mg9XeXDj60SBWuJg+nKUFpkiLQ5WRYUB48qlGYsyDQVCb1PS76Wx9VR2QYHoKRb4/U2v7n9mvT4UcoH57NAY7p3prJOrvxNI1XY8kVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=XzVAgULHtfV5Kom3JZunTEXXlZKpWXkhoBFujHJxvco=;
b=Dw11ozHEiIrNr3NyMmXCy66BVUC5YbpgFSxXAX5nJiOmCaaroabrWEzhagji0lHPoff/jBhgZ0vzvBNJ6KXQs0IbksN+avHdJRmBioaJr7p0ST8KYiD8zTD+k4j08Q+530NT3VTho/hbymuI4Y/+RBDAYPOlr6wjwhxxuW5CL3yTFF3a+wjLM1DzmD1r8X4VGTqOySpYBQhLnq7n/CVxr/DRoyxZCRVcVKsGnP/gDGKWxQca5trc9GecL/XPupBRPGqGXJBr4lQfpDg2bNdvR+FGXoR1T9OzKwJpTct6A7/GZ0VuyY810LhfEdcel6US1P4YIUklHXZNREuAlGBcbw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
66.163.186.205) smtp.rcpttodomain=mit.edu smtp.mailfrom=yahoo.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=yahoo.com; dkim=pass
(signature was verified) header.d=yahoo.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=XzVAgULHtfV5Kom3JZunTEXXlZKpWXkhoBFujHJxvco=;
b=BvRtGsWpm14L0lTPmqBPsz6BupitHj4C1jxUAdxc8H1aKbTUYpP9fZCgFYh1kzpuDXxbA12fv6qZpr9juJOP38LOIyyPLgI8qujG7PUuT6Mbgm/mSexuWYJSwKXq+4kGyO7VW0DXzR+IYfB4319W78UO1OqgCNbXZFrmF6Yiotw=
Authentication-Results: spf=pass (sender IP is 66.163.186.205)
smtp.mailfrom=yahoo.com; dkim=pass (signature was verified)
header.d=yahoo.com;dmarc=pass action=none header.from=yahoo.com;
Received-SPF: Pass (protection.outlook.com: domain of yahoo.com designates
66.163.186.205 as permitted sender) receiver=protection.outlook.com;
client-ip=66.163.186.205; helo=sonic310-24.consmr.mail.ne1.yahoo.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
t=1710357404; bh=XzVAgULHtfV5Kom3JZunTEXXlZKpWXkhoBFujHJxvco=;
h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To;
b=B7Yv8l6lsV0sbPpjj8p0VuAZLcqxjc4ouXaKuJWtukoFx7oWATBvS3iZH0nn1d5CrycAed1PHBNk3qxhgd1/p0yPrYiSrHnCRaUgATV5Encqr2kqQ2kQjgkECbqa5r/xez5bDwdyg3/g2CNndbS6qMNySDPInt/f74Q7vamVKlKUlH0ZvlILnWwC8PZPmSxCnxgwFfWyx6m3mLPgbCNRNy4O07utbmV0HDAjAdBNWkaWSHexbBywscjLBNacIuzgq97BARWaTrXpZp5Id/k3JlMpvCAJwYqzneEQ2+9UN5NAk+sNAaZ6VA/yB8Rep7lQ3C5dc0IHc8tYEfVq8pwyBw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
t=1710357404; bh=jmDBH2f1KW1Klc6vS7XQDh43ORPyNqGZNAgBactDiYz=;
h=X-Sonic-MF:Date:From:To:Subject:From:Subject;
b=I2/F+eprHZpuHZMLlAmCBke+91OnYxDMkQXBvllXmRAqAfFABIQkqaBmdIlSXMQikP+/81h8xiBBQs67i8/Vzotfy2oBAgdl1dRwEdb/9MI2aZqJk4VjQwnSPyuspuDTsbI4z6KkBTBnBbRNbFYI6lH0cuFX6V266Fh50Cw6DbizRzLkmqkujYeQz8GqCWoe/SM7gj46xxSGzf9l4pLw/1k5QYGWcsYxnqM3WV/vScyhRka3vyyDl4zVFR7QR6zIT1r3rTAP7JL//K/hpeJKNA7bMTAVFW2rRHhPZMb5v2B0PzgwIJYYcmOLXsC+YdDkXeSw/+6TVM0tW001HsTSSQ==
X-YMail-OSG: 8ZwH0YsVM1moDmnpjMvp4NnC2lRY096wCUBSrLDtl_20Q1X0Bh25fLezia6.nrj
Ymj6l0VduKrlnXBb1ab4mIiafb87epVZupHBo7opsnqM7Re87lm0a2iCrPDsRpMrvmqr3_gkL89O
7GZjerpJFb7.5rWCxlamZNt28TVJ11jztZX5zdXHdLuMhPvYzPUcEcDtgO8qUoMW98rDHvD8zY1a
mLZ64lQFEqIJivoIUfFDXMiZfi6V6ObNJ150kyBFQ5lFliey1fDMF5ID28PSK5lNUfRk.UtSiXqk
rsEuph6dL6lm1_C0fqaUG6TCzFoKZRRqiJcp.m.RU8a3f7uxsgIrlw50V_ZhDBGizqonB1jbFUSw
HKtuTKn1HYhThAbjFdx0PZmU2yqb6UuicssNu7Nlw.tt61LpwY.KxSoUEA.Rs.YiFavBFTvCh4PH
c96QctH6WsVrL6Q3GdKw2A76PFpCSHcF0wf3hfI3wEEX6dYmQYR7W5VNdZ2oiFfsjdFHvgc1cgqQ
8www_d0epSffd62ksY1eeOHKA4gkuzXCNJiBl0cyjOQ69p1YTYRJ8kBo._0XxblGnZGTMusOUiST
NY_H58RYiuc7Us4tIi0P4F7uCSlOVZ8YJktzzR8J4geKsEH2Mzsspu_o6fNPS4M3nmCElCul1F0a
96r0nlPgzKGi02QNAHnpY3UFaiO6i0nuS7.aBmMAJJpF_9YNaWcRoGDT1PbW69APFGoNl8WEMGSV
eEMkDLU3iesqOUPSrpgfPOrSIRh7IZGfkdmtbFod0_UCH2mihtxrr7gBKKrUAqzapnhUm0PtI.Ad
sOj6lBBTYM_crYXKt2EuLCMR62JhwfJf0_Th_G2yu8JsMp_n9pg32HyW8F_NXxPTNZ82M1bKt6OD
ZPu3mb1Y4ObtMOor0nlDm1BsJSBFAzGlRKnIKhR4ERkHlvfhVXWeqDWVNHOtdQi68E6GYLiOF7JG
nz8oSKHzufNZDPU.APeyyHLbignqGh43rCVZUT6aFZuYD9Aw8W9pfcK93qVf6EW_CqXT0BIVfKLb
NmV_gguvuYkXB8NPwV_Eu6jS8WCbc0oGQeuBHrR3WOKy0gzjF4K3XKOTqFAyQ8LHOUn_WHNZ3WmG
3zI55XVHNxS4ErCmP5x9ND88GWm0y6ZXqdgDLONRpHImygthRN2sume_F0NAEqrV8q8PXwgSO.9b
xbQFMaLTPo35iYrXHPlC4_VgRyIWCuQdAJ.L2LJyNDDNYx8Duv9NIbfH6f3OwjoLY1KxTqi4UvJ4
eUurHBQmSuGfspVruaVc8X_WtGB8d6qqvmI4kDHGPXoPAO8dNGMVx2SwQ7SAjDq6fXoY8RA7CMVM
AaOvmOB.VPOuB1G1zj6akxdJSTaB1Ul_tcOJvsCZgFVO98MP0sziGtscy17YDVYiM4obOpwz_Zfj
buO4hXTu7w8jYOcal2a5ZQTflfxVsOzPraw1rgU2L4a3OSCRFHeBUbx_XyvwdmoDonktomyIwf10
O9akIkxpyGCfdDOQN6QNrS6PmMUbbCdApcRNjYcTbFzzY3XiwnxpKBmmDDzuuP1qZJ2dRMhh3RUi
jxcT7nk9zghiEknoOPYcGbvoPWKXlcZ3kw8uJ6MP0pn8iJdLP3D1kZ.TRxBe0Y4RwLwJQ9yFQLd4
.IRVo9PyIgfbSWnCKAaleuqwZ_uaWJMczvPuu5qL9wRUIFRv8mpZjUqdG9VXc2Lx5MBn0DXgy7ta
ES90Q0jdv8uzLl6w.SkbkbMaQI1DSiAViSiP1_VNmoBMLM6XmKnC6auyzKnI67w0oDXDvKjo.lvT
Hhr9IwLYuu8hT5rQkHPvtV7d96Ld2H9xa7VVz5k68pI3d_AgcDFo3eWP857_wT0jDnVH82aEuSn5
kRepBZ62tWKnYDifgC1CUKzwA4q6XoKvjaR1ategu7uxVtjEQlA5vpiCYhN1Je6nyATFJAlb23iw
dnDnjLRGwEuskowo2LWnPlAN.Lly8S.8uTfef3B5kYRheWXgyCUGCe7510wdHqnK8t5dXBcXaAmZ
EzAdBeYVNoBbhBRIGa5Yx.sBa7.mRWXHrnN2LrNmsJkHaa5RZHahpfE6xbynQncFETsmtsN3lZfE
nw4u3KiHIYqybuQAQJDYp4755a41f0zAv0RsME1D5ebOGV6hmaxyeP_96.h5aQPAHt_eRDi85CeY
ZtOf0axfieQ0W3fwa3a1rZtwV9gdQ.vfghx_ih9QePslT0jlDC62UmdHZ4D19zbspuX5f.v7pNv1
EFcxncQ5hnTmSdl53q3S7QLMON36LvHw6xFFjhHnWmKJ.CdjkhXBgwOJ927SVYR6H13NwK9b3HHf
smnMzC2KAx266KeC7oI0nAyPLIXs-
X-Sonic-MF: <paulcayley@yahoo.com>
X-Sonic-ID: 34da95ed-114d-485a-bace-5426bc76c7ea
In-Reply-To: <YT3PR01MB1054455091DF8A230B8C9D11BFA2A2@YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM>
X-Mailer: WebService/1.1.22129 YahooMailIosMobile
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN1PEPF0000468E:EE_|SJ2PR01MB8101:EE_
X-MS-Office365-Filtering-Correlation-Id: c1d9650e-dc0f-4a39-7890-08dc43921f7d
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: e9mqToaY6v7A0plcSYoNIhXl2+oKEkJWI9JDD4AuwcE0/hM7czlSk0uQqzCfl2+obIQ6XHK2zrmH9SX65RokJKHW5am1CxKz1/RLx2bJ0E8KnWcpXNYocXPL6M2zUEajG1F0FVOXbiZ7DFaHahj0idfJt1wJJkPyafNsZfNIhPCsj4CL7Cyk4gsbnLynaSRHoxF5j+clAxZGcHqYWKNUeKHRbW8DkY7lZUPAjTi74JB1NBLvWyUc/mh8NllmyitcrZHOVM8KFOVyuYrOBCdRRWFhlkR2oSFvOgeXLtCqz6i4L5m1cEf+aXrCYAm9LgppQSlUo0wRrrsWzVB6Vx2TQwjHpU1R7Ql9IpFNjq0CNI3ro9KMEie/kueUhKFQetG048WPmWfLKeABAH5wLZ05KmCvWsuRHDRTibvhYgm3Ka7CVzd7VGxHC5BWS/cz1dedbYA3YycTwyPgNu4FBMvcBVS9Y/4XCGbNsmsUf25bOfQrp5QmlEc8ylaGDJPdKoun6z3AnrRcT3ZZqCLYvg67pXILbFizza5a6n0Iut4sqfgzoDB6BroaecMlUqdtF+UvdT47TnuTuhp4kMy/XSW8bgrUa7k9djlqRaxJ1ebLO+MUjLktU8sG7SwrAB12TNLTpfzc4J6Nv0ibrPczw3C4BSLPgN7qaH9FO340tb+i6l0QGbt9FGsqAbcppD+PIwpZ
X-Forefront-Antispam-Report: CIP:66.163.186.205; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:sonic310-24.consmr.mail.ne1.yahoo.com;
PTR:sonic310-24.consmr.mail.ne1.yahoo.com; CAT:NONE;
SFS:(13230031)(61400799018)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 19:16:45.0183 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c1d9650e-dc0f-4a39-7890-08dc43921f7d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN1PEPF0000468E.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR01MB8101
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <79304367.4333091.1710357396720@mail.yahoo.com>
X-Mailman-Original-References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
<202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
<YT3PR01MB1054455091DF8A230B8C9D11BFA2A2@YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM>

by: Paul Cayley - Wed, 13 Mar 2024 19:16 UTC

See RFC 4559 and related
MS support keep via https
Quest Vintela and others field kit that supports this
IBM and SiteMider have guidance and support

On Wednesday, March 13, 2024, 9:56 AM, Brent Kimberley via Kerberos <kerberos@mit.edu> wrote:

[MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protoco
https learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38?source=recommendations

1 Introduction
The Kerberos Key Distribution Center (KDC) Proxy Protocol (KKDCP) is used by an HTTP-based KKDCP server and KKDCP client to relay the Kerberos Network Authentication Service (V5) protocol [RFC4120] and Kerberos change password [RFC3244] messages between a Kerberos client and a KDC.
Note Throughout the remainder of this specification the Kerberos Network Authentication Service (V5) protocol will be referred to simply as Kerberos V5. Kerberos Network Authentication Service (V5) protocol [RFC4120] and Kerberos change password [RFC3244] messages will be referred to simply as Kerberos messages.
Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.

2.1 Transport
Messages are transported by using HTTP POST as specified in [RFC2616]. These messages are sent via Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) by default. The URI uses the virtual directory /KdcProxy unless otherwise configured. The body of the HTTP message contains the KDC_PROXY_MESSAGE (section 2.2.2).
KDC proxy messages are defined using Abstract Syntax Notation One (ASN.1), as specified in [X680], and encoded using Distinguished Encoding Rules (DER), as specified in [X690] section 10.

2.2 Message Syntax
KKDCP does not alter the syntax of any Kerberos messages.

2.2.2 KDC_PROXY_MESSAGE
This structure is a KDC proxy message that contains the Kerberos message to be proxied and optional information for DC location at the KKDCP server.

KDC-PROXY-MESSAGE::= SEQUENCE {
kerb-message [0] OCTET STRING,
target-domain [1] KERB-REALM OPTIONAL,
dclocator-hint [2] INTEGER OPTIONAL
}
kerb-message: A Kerberos message, including the 4 octet length value specified in [RFC4120] section 7.2.2 in network byte order.
target-domain: An optional KerberosString ([RFC4120] section 5.2.1) that represents the realm to which the Kerberos message is sent, which is required for client messages and is not used in server messages. This value is not case-sensitive.
dclocator-hint: An optional Flags ([MS-NRPC] section 3.5.4.3.1) which contains additional data to be used to find a domain controller for the Kerberos message.

5.1 Security Considerations for Implementers
Because KKDCP is typically used in the Internet, messages are only protected when HTTPS is used, and the KKDCP server's certificate is valid. When using HTTP, the KKDCP client is sending clear text Kerberos messages, which are vulnerable to attacks discussed in Kerberos V5 ([RFC4120] section 10), unless FAST [RFC6113] is used.

When the KKDCP server relays messages from Internet KKDCP clients to the KDC, it opens unauthenticated access to the KDC from the Internet, unless TLS client authentication is required. KKDCP servers can also provide some level of protection by only relaying valid Kerberos messages, and by throttling messages. KKDCP servers open KDCs to the Internet, exposing them to denial-of-service attacks (using Kerberos messages) that were previously only possible via other authentication protocols, such as NTLM.

-----Original Message-----
From: Kerberos <kerberos-bounces@mit.edu> On Behalf Of Ken Hornstein via Kerberos
Sent: Wednesday, March 13, 2024 12:22 PM
To: Yoann Gini <yoann.gini@gmail.com>
Cc: kerberos@mit.edu
Subject: Re: Looking for a "Kerberos Router"?

[You don't often get email from kerberos@mit.edu. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

>Looking at Apple documentation I see the support for something I had
>never heard of: Kerberos Key Distribution Center Proxy.
>
>Looks like a solution to encapsulate Kerberos requests into an HTTPS.
>
>Any experience on this here?

I personally have not used that, but I know that MIT Kerberos supports that (as far as I can tell, that protocol exists just because firewall people are dumb, but that's neither here nor there). That contains a wrapper ASN.1 structure which has the target realm in it so you could use that for routing (although the target domain is listed as an optional element to the KDC_PROXY_MESSAGE so that suggests to me you can't rely on it). So you're still going to have to write code to parse an ASN.1 structure to do backend routing.

It does occur to me that maybe if you have different KDC hostnames but the same IP address you could use TLS SNI or hostname routing which you indicated you already use and maybe that would be simpler? That presumes the client implementations set the SNI field (I see that it does send a "Host" header, and it looks like MIT Kerberos does set the SNI hostname).

--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Subject	Author
Re: Looking for a "Kerberos Router"?	Paul Cayley