Tunneling sounds like the best option. We have over 500 Windows 2000 and Windows 2003 domain controllers (KDCs in Active Directory), that we don't want to have to modify or install new software on. These domain controllers (KDCs) do have SSL properly configured, so I suppose, we could tunnel the AS-REQ and AS-REP inside of SSL. I'll try this unless anyone knows of a better way, keeping in mind no major changes can be made to these Domain Controllers.
Thanks! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos