Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5408

Re: IAKERB Starter Credentials Solution

From Michael B Allen <ioplex@gmail.com>
Newsgroups comp.protocols.kerberos
Subject Re: IAKERB Starter Credentials Solution
Date 2025-04-27 08:53 -0400
Organization TNet Consulting
Message-ID <mailman.191.1745758441.2322.kerberos@mit.edu> (permalink)
References <CAGMFw4jy=ceiETpLu9Aa1W0TYnjHedW3DMx7fss4XFrD-HzN=w@mail.gmail.com> <fa4f4827-2be9-442f-b1d6-47bc871aa4fa@mit.edu> <CAGMFw4gG9yS3Mx_Pt2hTYDEv30xbDgx7Vue7n7RNWPdqwtXwhg@mail.gmail.com>

Show all headers | View raw

On Sun, Apr 27, 2025 at 1:48 AM Greg Hudson <ghudson@mit.edu> wrote:

> On 4/26/25 10:39, Michael B Allen wrote:
> > Another method would be to modify kinit to optionally authenticate with
> an
> > IAKERB-aware service and cache the resulting TGT in the usual way.
> >
> > More specifically, add an option to krb5.conf like:
> >
> >    [libdefaults]
> >        iakerb_idp = https://idp1.mega.corp/do/iakerb
>
> If the goal is simply to tunnel an AS/TGS exchange over https using a
> web server set up for that purpose, I think MS-KKDCP is a more natural
> fit than IAKERB.  See:
>
>      https://web.mit.edu/kerberos/krb5-latest/doc/admin/https.html
>
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/
>

Yes!

This is better. It's basically the same just more direct and apparently
already implemented.

Will the MITK gss initiators use the HTTPS proxy to get TGS tickets too?

That would dodge IAKERB entirely.

Thanks,
Mike

-- 
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: IAKERB Starter Credentials Solution Michael B Allen <ioplex@gmail.com> - 2025-04-27 08:53 -0400

csiph-web