Looking for a "Kerberos Router"?

Thank you, I will put this on test. This is well tested: https://github.com/latchset/kdcproxy On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: > > > Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames but > > the

Re: Looking for a "Kerberos Router"?

The site philosophy can be expressed as fail open / fail closed /fail safe / fail deadly... From: Brent Kimberley Sent: Wednesday, March 13, 2024 5:41:58 PM To: Simo Sorce ; Yoann Gini ; Ken Hornstein Cc: kerberos@mit.edu Subject: RE: Looking for a "Ker

RE: Looking for a "Kerberos Router"?

To the best of my knowledge, all IPV6 ports should be closed by design and only opened if/when approved. -Original Message- From: Kerberos On Behalf Of Simo Sorce Sent: Wednesday, March 13, 2024 4:48 PM To: Yoann Gini ; Ken Hornstein Cc: kerberos@mit.edu Subject: Re: Looking for a

Re: Looking for a "Kerberos Router"?

This is well tested: https://github.com/latchset/kdcproxy On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: > > > Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames but > > the same IP address you could use TLS SNI or

Re: Looking for a "Kerberos Router"?

NTLM. -Original Message- From: Kerberos On Behalf Of Ken Hornstein via Kerberos Sent: Wednesday, March 13, 2024 12:22 PM To: Yoann Gini Cc: kerberos@mit.edu Subject: Re: Looking for a "Kerberos Router"? [You don't often get email from kerberos@mit.edu. Learn why this is importan

RE: Looking for a "Kerberos Router"?

only possible via other authentication protocols, such as NTLM. -Original Message- From: Kerberos On Behalf Of Ken Hornstein via Kerberos Sent: Wednesday, March 13, 2024 12:22 PM To: Yoann Gini Cc: kerberos@mit.edu Subject: Re: Looking for a "Kerberos Router"? [You don&#x

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > It does occur to me that maybe if you have different KDC hostnames but > the same IP address you could use TLS SNI or hostname routing which > you indicated you already use and maybe that would be simpler? That > presumes the client implem

Re: Looking for a "Kerberos Router"?

>Looking at Apple documentation I see the support for something I had >never heard of: Kerberos Key Distribution Center Proxy. > >Looks like a solution to encapsulate Kerberos requests into an HTTPS. > >Any experience on this here? I personally have not used that, but I know that MIT Kerberos supp

Re: Looking for a "Kerberos Router"?

Looking at Apple documentation I see the support for something I had never heard of: Kerberos Key Distribution Center Proxy. Looks like a solution to encapsulate Kerberos requests into an HTTPS. Any experience on this here? Kerberos mailing list

Re: Looking for a "Kerberos Router"?

>> A long time ago we had developed a small Kerberos proxy that forwarded >> on Kerberos messages by prepending the source IP address/port to the >> UDP message (our KDC at the time was modified to recognize this and >> sent the prepended bytes back to the proxy so it could send it to the >> correc

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 15:52, Ken Hornstein a écrit : > >>> One thing that leaps out at me is that by default a lot of Kerberos >>> messages default to UDP transport so that might be a bit trickier to >>> proxy them (but not impossible). >> >> Yes, that's another aspect of the issue, our expectat

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 15:44, Marco Rebhan a écrit : > >> On 13. Mar 2024, at 12:48, Yoann Gini > > wrote: >> >> Which allow us to have end to end TLS communication between our customers >> and their tenant. Which is mandatory for our mTLS. But without consuming one

Re: Looking for a "Kerberos Router"?

>> One thing that leaps out at me is that by default a lot of Kerberos >> messages default to UDP transport so that might be a bit trickier to >> proxy them (but not impossible). > >Yes, that's another aspect of the issue, our expectations so far are on >support for TCP only clients. Since it's for

Re: Looking for a "Kerberos Router"?

> On 13. Mar 2024, at 12:48, Yoann Gini wrote: > > Which allow us to have end to end TLS communication between our customers and > their tenant. Which is mandatory for our mTLS. But without consuming one > public IP per tenant to keep cost under control. > > Here with Kerberos, I'm wondering h

Re: Looking for a "Kerberos Router"?

Hello, > Le 13 mars 2024 à 15:16, Ken Hornstein a écrit : > >> Here with Kerberos, I'm wondering how we can achieve something >> equivalent, using a shared IP for multiple Kerberos realms and having >> the incoming requests routed to the appropriate backend by some kind of >> inspection. > > I

Re: Looking for a "Kerberos Router"?

>Here with Kerberos, I'm wondering how we can achieve something >equivalent, using a shared IP for multiple Kerberos realms and having >the incoming requests routed to the appropriate backend by some kind of >inspection. I think that is certainly _possible_, but I don't believe there is anything t

Looking for a "Kerberos Router"?

Hello, I'm looking for a way to "route" Kerberos requests incoming to a single IP to different backend depending on the requested realms. This issue I'm trying to solve is related to the scalability of automated deployment for new Kerberos realms on a cloud infrastructure. My company is an IDP