Hello, > Le 13 mars 2024 à 15:16, Ken Hornstein <k...@cmf.nrl.navy.mil> a écrit : > >> Here with Kerberos, I'm wondering how we can achieve something >> equivalent, using a shared IP for multiple Kerberos realms and having >> the incoming requests routed to the appropriate backend by some kind of >> inspection. > > I think that is certainly _possible_, but I don't believe there is > anything that does that today. You'd have to parse the Kerberos message > (which is ASN.1 and there are plenty of things that can handle that) > and extract out the realm of the server principal and route the message > appropriately.
Yes, that's the main option we see so far, but before jumping on the "let write our own proxy" solution I wanted to be sure that we don't miss something like proxy feature in an Kerberos implementation or some kind of cascading scenario. > One thing that leaps out at me is that by default a lot > of Kerberos messages default to UDP transport so that might be a bit > trickier to proxy them (but not impossible). Yes, that's another aspect of the issue, our expectations so far are on support for TCP only clients. Since it's for mobile users that we are looking to have this support, it shouldn't be an issue. Thanks. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
