So, which parts of the article are no longer true, are misleading, or are outright lies?
I think one problem is that a Win2K AD server can interoperate fine with other Kerberos implementations as long as AD gets to be the KDC. If you try to configure a network with a non-AD server as the KDC (use a stock MIT KDC, for example), the Microsoft system can be forced to use it, but by doing so you can no longer participate in the domain or get MS privileges from the tickets generated by the non-MS KDC, effectively making your expensive Win2K server alot less useful. Not being able to actually write software to generate the PAC field from a non-MS server is the root of this problem. If you were truly to open up your implementation and share the information with the Kerberos community in an open manner (i.e. unencumbered by a license) this problem would quickly disappear. The short answer it, if you want a Kerberized network with a mixture of Microsoft and non-Microsoft software, you better let MS be the KDC or else you forefeit alot of the nice MS features. Its a backhanded way of forcing people to choose your tools. -Wyllys David Lawler Christiansen (NT) wrote: > No offense, but this article is old news, speculative and misleading in > places. It has nothing to do with MS's use of Kerberos in Passport > (which is what Ice is asking, I think), and only questions whether our > Kerberos implementation will interoperate with any other > implementation. The simple question I must ask in this case is, "have > you TRIED it?" > > > > My experience is that everyone who insists that we don't interoperate is > either speculating, mistaken, or outright lying. We interop just fine, > either as a client, a server, or as a KDC, in single and multiple-realm > scenarios. If you don't believe me, hunt down someone with Win2K and/or > WinXP, or get on the beta program for .NET server. Run your own tests > and draw your own conclusions-- don't just believe the spin. > > > > Thanks! > > -Dave > > > > -----Original Message----- > *From:* Zafar Baig [mailto:[EMAIL PROTECTED]] > *Sent:* Thursday, January 17, 2002 11:27 AM > *To:* David Lawler Christiansen (NT); hot ice; [EMAIL PROTECTED] > *Subject:* RE: Kerberos on the web > > > http://www.infoworld.com/articles/en/xml/00/04/28/000428enkerpub.xml > > Please read this article carefully to understand interoperability > issues. > > Excerpts from this article.... > > "....Microsoft's PAC locks users into its version of Kerberos." > > >
