Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5408
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Michael B Allen <ioplex@gmail.com> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: IAKERB Starter Credentials Solution |
| Date | Sun, 27 Apr 2025 08:53:43 -0400 |
| Organization | TNet Consulting |
| Lines | 38 |
| Message-ID | <mailman.191.1745758441.2322.kerberos@mit.edu> (permalink) |
| References | <CAGMFw4jy=ceiETpLu9Aa1W0TYnjHedW3DMx7fss4XFrD-HzN=w@mail.gmail.com> <fa4f4827-2be9-442f-b1d6-47bc871aa4fa@mit.edu> <CAGMFw4gG9yS3Mx_Pt2hTYDEv30xbDgx7Vue7n7RNWPdqwtXwhg@mail.gmail.com> |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | quoted-printable |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="26237"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| Cc | kerberos <kerberos@mit.edu> |
| To | Greg Hudson <ghudson@mit.edu> |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=shHpoSyj; dkim=pass (2048-bit key, unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=D7b0NMHR |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=XcWZ0pen0oQ50Ikyn5sPE3dIfTCyF/B7LvElQMdnl7ejyZqJ/AioKRqIpBWBzmU8evrD1kmpQEj7lQLPxb/ZZhweWSi/FDglMIgBg/3oRwTjGchrFuAX4rPk63yRUZyqXuZ+J+eTJztFUwpTVUrbBfGZE2wC+KQLnj5kAfA6eN5K6ObYkd04AN+vOz4IXsRsrOg7iPF+GyuqTgrtaB6kS9qmYGvzGPtro827NJNCMa9JyaciRNECFJ491CMPsArdCJow6ov4fgPjd/14tOmiFDoSegW4I1jK4ikA9+Gi0VWrKH+ds+WYA6yU0zHRNztnQqfIQ/ekno+fsSrPSYq+LA== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A1QBQZwTn4JfLuk6xuyQZN8kwYCHb+nbhSeumN1+M14=; b=B6BgDvRvFHT2y9R+u+Tbn7/nUalUIXw0pcXk7Xh5ejoHeRsunxAd7d6j4waPISR8zRO4HFbdHzsq7ElNoFxVTH7QtceZQrpIwkUZEWUwBfdFGDGiXvDsVC2fTzITTp8LcshU7S0z6tWlBAqvC/nqGyyDgdve09WaDCBOhxdvwoWHf1lkFC9o7AFX3YkjQO1amZbcEok6oy1DOqmE3tQrL8MDgeOHrGWnX2MdnMy2zH1BrC4PiPh/XydKicLZsv/woLYAaPXNDCdq2zU4mMkQb7tHAA4+iq5GTe9KGcNLocIEuyWK3GFABjq9DCBnHzMfPRLEg122DmIQlBopM+PrBw== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 2001:4860:4864:20::2a) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass (p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass (signature was verified) header.d=gmail.com; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A1QBQZwTn4JfLuk6xuyQZN8kwYCHb+nbhSeumN1+M14=; b=shHpoSyj3YcOkvTbYJRNIck01P+HJXnomW3irx44jf599gVUzuU1Z8lnohrfSgnB1AMmMGmHA35h2d7EEpK2k2WQNTQWdp2ypZkVM4Dm8RYG3UWo72MSYPch9iDNcVfn2KQW59c4k0cFYpmd2MFg2bjO8iAAX0SwEnHNupYA28A= |
| Authentication-Results | spf=pass (sender IP is 2001:4860:4864:20::2a) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com; |
| Received-SPF | Pass (protection.outlook.com: domain of gmail.com designates 2001:4860:4864:20::2a as permitted sender) receiver=protection.outlook.com; client-ip=2001:4860:4864:20::2a; helo=mail-oa1-x2a.google.com; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1745758434; x=1746363234; darn=mit.edu; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=A1QBQZwTn4JfLuk6xuyQZN8kwYCHb+nbhSeumN1+M14=; b=D7b0NMHRpb588HalN2iziIQLbXm3aGIsAIf9wthnR2DStfqvj8+2nxZgUZzWeIVSCV sKdoczhHeU4Lpd8Qbjmh0Xifn2C+z8HPn7mZNpwd7L+Yp6TD91kxx7rwTRr7zCFBwAgI nks0H1xarP8wmj0gswYak7w/ZzP4dTrUWGpbhsIWYE3v2MzyAp55UJpq2yHhCjo8LrRC v5nzYw4T120bKD+Z+cVHak1WsSHffKvTJs9jd8pNsKtDvtpF57K3Css2ydZkhRh4K7gd k0Jmi/PhzQkYopfqw3lvrYRGfv/WRzce5xU332HiQx5zTZkvBvytk0U0JT/a+rcx5lyv yM7g== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745758434; x=1746363234; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=A1QBQZwTn4JfLuk6xuyQZN8kwYCHb+nbhSeumN1+M14=; b=QHS0wwGo6aWtv44cXIGCNPL+W3BxPrE9M0tR4pCkQ/llF+yqFYGrDcsCIqLGNyOTNM cKHNpJ7YN0peTKEmbBKMyByvaTTft58pOjFsU4phFnaNYhl/MsC8BtXrEALwLZ8Te0NI kGk50gsalAnKvRNIzzhg/6d9pdFFQiDfrNgMbbnL8wVgvyo5XIRT5VyABlv/2CuhsYQT Px3jZFBRZm+kltc41avKeLWteAlwg8GdoDU65AYcS/0Gh25Dpv83oKacKX2ogv1U2Yoy L/h1+0esA7g84S7hk77iu9zfVro9KrecPxPM1lYlIDcW+hSjc5YfqLAThG0xSOMUB/TY RdoA== |
| X-Gm-Message-State | AOJu0YwQO+PiVnlfkb3IGXi8HzCFRcllGnHxMDWMqslUhQ5Lh4KA/8HP n3JEkbGHIw2+9vC4bjDfIWtKyRVHKqtzA+069DvIyw1JtxbsZQ896rCBn3vKGHbzquHbVQ89Vsd Gn0nR6HyZYy6v44k06BGxe1WgPXC4zyXv |
| X-Gm-Gg | ASbGnctJPOkYPuBCf5l2GtwV1EW8GM81fQoJmag8ZhmhBqpkj7HHTbqCcQDr8DHcTJO 6e3VgOCjITYMKwgEvjMXyhk+ye7u/IOGAbpn6L2W1tdhLLdvmZkUg0Tg1q5Q992C3IHf2xNJU5y uhwCSuqg9NwlWpvhd7SwPPzx9SwTf+yQ/X |
| X-Google-Smtp-Source | AGHT+IFow1eCeklOfZhLhW6l5s2h/PquVuLIbB5MJBfjyiMkvPNdAA23kFHHoGq84oviIJiYq06lh0xuTVAlJAdaxFw= |
| X-Received | by 2002:a05:6871:4d0:b0:29e:4340:b1b with SMTP id 586e51a60fabf-2d99d7e1586mr4943980fac.9.1745758434409; Sun, 27 Apr 2025 05:53:54 -0700 (PDT) |
| In-Reply-To | <fa4f4827-2be9-442f-b1d6-47bc871aa4fa@mit.edu> |
| X-Gm-Features | ATxdqUGAl4XkZuGN-CqIU1koH2mC0ktSDFa2S593Uhx-ylsjvpoPJpCFoBLC0t0 |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | CH1PEPF0000A348:EE_|CH7PR01MB9074:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | e93082c0-f907-4ca7-0fed-08dd858a91cb |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|48200799018|7093399015|376014|61400799027|9140799003|8096899003|13003099007; |
| X-Microsoft-Antispam-Message-Info | a/80ooRwZ0cEWUHYY4Zx94f8ilZg/xC6STDkMFYGVvnWYCwN2A6A/lGQa3O7QLCd7tdRH/P27hMJA/vmnj0hxSYnkp8u/p3cytwee5RHRNYy17xYS+REmkMlQ1aEFMZeQlbCrkOALosk+KuN5ArQEEFFz6wDQUErINQjlrAPu/jDEiBFnfpn2tYsFUbWnOu/Hkv2s0e53++Y3I+kNcoNdPbpJqNzU/j2ZcqofRzUcbU+fEIzPjBkioK6KGv2drgnZrzaOcO6qCCiyfsBKKTcKUK+A2WVglqEUUBI/cr8IhoSq/05lnFW1Sl0PeFKPubuCv5vdLYks53xV2Z58rIk07Su3EwxCf8BAdbprMZ2xEoRzIDxsrnksNlbT7+h0HWKO/uBRihT0RMy4ng+efrI/YFG3m1NIeBajojf9F+/W+5k8d7QKsHxW1xYFJ0kw1wOu/3lFr5mLQSVp4t1IFIA82ftNN/Wsz5HNcxMdHN7FosNEZQWY4P8MY3jR1uU7W+rhsfr97sBCNvfgWxbUNtWPEatz9h5Bdd0DfZUHYghyKeKWQHrOz8O7V0ZBLCyL2D0guP4fYlcEVzw82H4WXSa/SKb8649b4J5S0irYUa6p+1D0E7lAnP+rWOp2lBl1vTuO4U+I4KTwZ0BohKp6AHM7whVJkNELxS6zz9lpsVLNn9aKAkYDQljUpzGm7+DCEOSI2jr0AdC1CnuMePnJDwD8bKZX40RclDDSUrbrs/mwZ08+U41iWLxRH+tJhLMv4TvMjECxkDsuC1Rcuv8cPAL5sOBdy4tgrt86JBAy+m3cYdSo8zaOiBHQZyFV205Ulq4omt9GNcEA9HoF9F28ZwA7QIEeigzalS2e+5EAzdq/Z84u0bT0iPeIDsJKnqpf/O0MuejqFQIIgLHKxRc4JyNJflUaKYhNKPlIaD4MsiT2j6f0niLAfN5NJTJr4HXUnxhvNGFXcgL8fV9T30Wo9sDVFCEjevt25z4ZrlxO6jq4TwppDe7SqD0M+Yje5vD4PFuzWwMF8zhyqJgANWnuTWhPrYioQ/hOihYn3vEZPqvBkLnthRQXWvOK5j1nDBBu7r1driDVKrw2DuNx6bzJEFe6DRgaTzha6xAiQF2Xq6FayMIOJx1dZqNZNVpCXJvNxL4Dyxw2OK1C/LMss6YLKuPMEV69BreEq/Il/z54lVszDTOySGlUyJ7vAxb7yNvBWTFTjxLd3/zy6Rd8SwDviqOAcZv1q2+stYqr92cYVgsoxAcmGH0TRJOjbhYbPMRr69itaRFUOGkrccAOUlXTlxZ9taTENLExmLwyLfqVNQXVD5oqxVxss/2PEZnQiyG4z29DdUgZuPRUq0pDxHg5R2+/Essj9lDA6/L24M9xX5FlTu/rMHTZc2jOsUEuZtTRhcp/TW/xdApc7exdLj4vjDT9/7N8jRtBwklZEaW3FaT/y2Xkx27epM0Fzgy6crUOJaG |
| X-Forefront-Antispam-Report | CIP:2001:4860:4864:20::2a; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail-oa1-x2a.google.com; PTR:mail-oa1-x2a.google.com; CAT:NONE; SFS:(13230040)(48200799018)(7093399015)(376014)(61400799027)(9140799003)(8096899003)(13003099007); DIR:OUT; SFP:1101; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 27 Apr 2025 12:53:55.1963 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | e93082c0-f907-4ca7-0fed-08dd858a91cb |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | CH1PEPF0000A348.namprd04.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | CH7PR01MB9074 |
| X-Content-Filtered-By | Mailman/MimeDel 2.1.34 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <CAGMFw4gG9yS3Mx_Pt2hTYDEv30xbDgx7Vue7n7RNWPdqwtXwhg@mail.gmail.com> |
| X-Mailman-Original-References | <CAGMFw4jy=ceiETpLu9Aa1W0TYnjHedW3DMx7fss4XFrD-HzN=w@mail.gmail.com> <fa4f4827-2be9-442f-b1d6-47bc871aa4fa@mit.edu> |
| Xref | csiph.com comp.protocols.kerberos:5408 |
Show key headers only | View raw
On Sun, Apr 27, 2025 at 1:48 AM Greg Hudson <ghudson@mit.edu> wrote: > On 4/26/25 10:39, Michael B Allen wrote: > > Another method would be to modify kinit to optionally authenticate with > an > > IAKERB-aware service and cache the resulting TGT in the usual way. > > > > More specifically, add an option to krb5.conf like: > > > > [libdefaults] > > iakerb_idp = https://idp1.mega.corp/do/iakerb > > If the goal is simply to tunnel an AS/TGS exchange over https using a > web server set up for that purpose, I think MS-KKDCP is a more natural > fit than IAKERB. See: > > https://web.mit.edu/kerberos/krb5-latest/doc/admin/https.html > > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/ > Yes! This is better. It's basically the same just more direct and apparently already implemented. Will the MITK gss initiators use the HTTPS proxy to get TGS tickets too? That would dodge IAKERB entirely. Thanks, Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ <http://www.ioplex.com/>
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: IAKERB Starter Credentials Solution Michael B Allen <ioplex@gmail.com> - 2025-04-27 08:53 -0400
csiph-web