On Sun, Apr 27, 2025 at 01:48:30AM -0400, Greg Hudson wrote: > If the goal is simply to tunnel an AS/TGS exchange over https using a web > server set up for that purpose, I think MS-KKDCP is a more natural fit than > IAKERB. See:
That helps in this context mainly because the krb5 API has support for prompting, whereas GSS does not. Well, and because the OS can use MS-KKDCP out-of-band rather than the app having to use IAKERB in-band. I think really what this means is that IAKERB for arquiring initial credentials is mainly uninteresting. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
