On 4/26/25 10:39, Michael B Allen wrote:
Another method would be to modify kinit to optionally authenticate with an
IAKERB-aware service and cache the resulting TGT in the usual way.
More specifically, add an option to krb5.conf like:
[libdefaults]
iakerb_idp = https://idp1.mega.corp/do/iakerb
If the goal is simply to tunnel an AS/TGS exchange over https using a
web server set up for that purpose, I think MS-KKDCP is a more natural
fit than IAKERB. See:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/https.html
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
