>The docs that I referenced still made it seem that the anchor config >was somewhat optional for anonymous auth. > >..but maybe I wasn't reading those lines with the proper mindset or context.
Looking at that, I can see why you would come to that conclusion. It was obvious to ME that you needed to configure the client to trust the KDC's certificate but I had the benefit of literal years of experience with PKINIT. Unfortunately, there's kind of a "missing middle" in terms of Kerberos documentation; there are some good high level overviews, a LOT of stuff that is documented down the wire protocol and API level, but in terms of practical integration it's kind of harsh to a newcomer because it is written by people who already know all of this. I am not faulting MIT for this, as this is true with the documentation for a LOT of very technical things. It's a lot of effort to write the sort of thing that would be useful for this kind of situation. The information is all out there but it's kind of scattered in a bunch of different places and it takes a lot of effort to put it all together. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos