This is well tested: https://github.com/latchset/kdcproxy
On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: > > > Le 13 mars 2024 à 17:21, Ken Hornstein <k...@cmf.nrl.navy.mil> a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames but > > the same IP address you could use TLS SNI or hostname routing which > > you indicated you already use and maybe that would be simpler? That > > presumes the client implementations set the SNI field (I see that it > > does send a "Host" header, and it looks like MIT Kerberos does set the > > SNI hostname). > > This is what I have in mind looking at the documentation of kkdcp (reading as > exchanging here). Using SNI to select the KDC. > > I will give it a try, it looks like the option I need here. > > And yes, all of those complexities would have been avoided by network teams > just supporting IPv6 and not blocking random ports for no reasons… > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos