>If all the proxy is doing is forwarding content, it might work. But in >that case it’s not obvious how much security we’re gaining by the >proxy. It may be that just enabling access directly to port 88 would be >as good. (I control the network, mostly.) Any sense how risky it is to >expose port 88 to the internet?
For what it's worth, we do. Protocol wise, Kerberos is literally designed to operate over untrusted networks, so I'm fine with the protocol being accessible from the Internet. Implementation-wise, the people I personally know who do that are running one of the open-source Kerberos implementations. It is my understanding that Microsoft does NOT recommend opening the Kerberos port on your domain controller to the Internet, but if you are making it available via a web proxy I'm not sure how that doesn't qualify. I'm not sure why that is Microsoft's guidance (note that I have only heard that second hand and I have not verified it). --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos