I'm considering the use of a Kerberos proxy, to solve the problem of being unable to do cross realm authentication though a Windows realm to an MIT one, due to Windows not issuing referrals for external realms. The proxy would issue referrals where needed instead of having the Windows KDC say "no such principal," and send/return all other requests to Windows for the client. Obviously, the proxy will need the TGS keys for the Windows realm. This is a last resort; I'm going mad badgering Microsoft for some sort of solution to this. My outstanding request to them is whether they can issue default referrals. I'm not expecting a positive answer.
I'm wondering whether anyone else has considered this, or (hoping against hope), already implemented it? I've considered using the KfW GSSAPI library with clients that support it (Firefox, SecureCRT, etc.), but this is probably not a workable option for us. All comments welcome and appreciated, -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
