On Sun, Apr 27, 2025 at 1:48 AM Greg Hudson <[email protected]> wrote:
> On 4/26/25 10:39, Michael B Allen wrote: > > Another method would be to modify kinit to optionally authenticate with > an > > IAKERB-aware service and cache the resulting TGT in the usual way. > > > > More specifically, add an option to krb5.conf like: > > > > [libdefaults] > > iakerb_idp = https://idp1.mega.corp/do/iakerb > > If the goal is simply to tunnel an AS/TGS exchange over https using a > web server set up for that purpose, I think MS-KKDCP is a more natural > fit than IAKERB. See: > > https://web.mit.edu/kerberos/krb5-latest/doc/admin/https.html > > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/ > Yes! This is better. It's basically the same just more direct and apparently already implemented. Will the MITK gss initiators use the HTTPS proxy to get TGS tickets too? That would dodge IAKERB entirely. Thanks, Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ <http://www.ioplex.com/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
