Jiva DeVoe wrote: > In the case of cross-realm authentication (ie: [EMAIL PROTECTED] > authenticating to service/[EMAIL PROTECTED]) does any traffic pass between > either the respective KDCs or does the [EMAIL PROTECTED] client need to > contact the KDC in REALM2? > > The context of the question is: if I have one or the other of the two > realms behind a firewall, do I need to open any additional ports besides > the traffic port for my service in order to support kerberos > authentication? > > (This is of course assuming the cross-realm principals are configured > appropriately in each realm.)
The client talks to a KDC in each realm in order to obtain the TGTs for each realm. KDCs from different realms do not talk to one another. Firewalls should not block port 88/udp or 88/tcp. Otherwise, clients cannot obtain tickets. Jeffrey Altman ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos