[2648] in Kerberos
Re: inter realm authentication
daemon@ATHENA.MIT.EDU (Steve Lunt)
Wed Mar 24 10:45:29 1993
Date: Wed, 24 Mar 93 10:26:26 EST
From: Steve Lunt <lunt@ctt.bellcore.com>
To: schoenw@ibr.cs.tu-bs.de
Cc: kerberos@Athena.MIT.EDU
The client doesn't need to be aware of the heirarchy. You
present your TGT (krbtgt.localrealm@localrealm) request a foreign TGT
(krbtgt.foreignrealm@localrealm) from you local Kerberos server. If
it cannot produce this (meaning it hasn't shared a key with that
realm), it will instead give you krbtgt.some_other_realm@localrealm.
You then take this and present it to some_other_realm and repeat the
process until you get your proper foreign TGT, which you present in
exchange for the service ticket in question.
The Kerberos server must know which is the "closest" realm.
See the draft RFC on Kerberos V5.
-- Steve
Steven J. Lunt lunt@bellcore.com
Information Technology Security RRC 1L-213
Bellcore 444 Hoes Lane
(908) 699-4244 Piscataway, NJ 08854
> From: schoenw@ibr.cs.tu-bs.de (Juergen Schoenwaelder)
>
> In version 5, inter realm authentication is done using a hierarchy
> of cooperating realms. An application gets a ticket-granting ticket
> for a foreign realm by walking up and down the hierarchy.
>
> Now my question: Who is actually contacting the intermediate KDC's?
> Is it the application that walks the tree or does the application
> contact its local KDC which walks the tree and returns the ticket
> to the application?
