[32963] in Kerberos
Re: Kerberize Webserver outside our domain
daemon@ATHENA.MIT.EDU (Brian Candler)
Wed Dec 15 15:51:59 2010
Date: Wed, 15 Dec 2010 20:51:46 +0000
From: Brian Candler <B.Candler@pobox.com>
To: Andreas Bruckmeier <dev@bruckmeier.org>
Message-ID: <20101215205146.GA7111@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <001601cb9c2b$dc29e110$947da330$@org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Dec 15, 2010 at 08:44:09AM +0100, Andreas Bruckmeier wrote:
> we will set up a new domain in our office using a windows server with active
> directory and itīs Kerberos component.
> In a test environment we where able to kerberize a local webserver with
> mod_auth_kerb.
> Now I have the question if it is possible to also kerberize a public
> webserver standing outside our office, maybe with the webserver connected
> via VPN for KDC-connections.
> Is this possible
It should be OK.
Note that for normal client->server authentication, it's the client's
responsibility to talk to the KDC(s) to get the correct ticket: as I
understand it, the server doesn't have to talk to the KDC at all.
It may need to talk to the KDC when initially setting up the shared secret,
depending on how do this. (If the web server is a Linux box you could get
the third party program css_adkadmin, or I think there are components of
Samba which can do it too)
> and is this the main purpose of the domain_realm mapping?
The main purpose of domain_realm is for working with multiple kerberos
realms. Because it's the client's responsibility to get the correct ticket
for talking to a host, it has to find out what realm that host is in first,
and then exchange tickets with intermediate KDC(s) as necessary.
That's another way to build it: have a KDC for a separate realm on the
"outside", and the service machines join that realm. Then you set up
cross-realm trust between your internal AD realm, and your external realm
(which could be MIT Kerberos). This could be worthwhile if you have lots of
machines on the outside.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
