> On 03/15/2017 10:56 AM, Osipov, Michael wrote: > >> * The host-based service referrals mechanism also seems promising, and > >> you're certainly running a new enough version of Kerberos to > accommodate > >> it. I have not personally used it (yet), but it maintains security > >> whereas the DNS lookup mechanism does not. > > > This applies only if your KDC is MIT Kerberos. All of our KDCs > > are Active Directory servers. We use MIT Kerberos for only for clients. > > Referrals were actually implemented first by Microsoft and later by us. > The KDC does have to know when to issue a referral to another realm for > a service principal, and I don't know whether it's possible to configure > that to happen across forests in Active Directory.
So there is basically no way to tell MIT Kerberos if you home realm is unable to route the request, it should try other realms, correct? Michael ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
