[20537] in Kerberos_V5_Development
Re: Split IAKERB for local KDCs cross-realm setup?
daemon@ATHENA.MIT.EDU (Alexander Bokovoy via krbdev)
Fri Mar 28 15:31:59 2025
Date: Fri, 28 Mar 2025 21:31:13 +0200
To: Nico Williams <nico@cryptonector.com>
Message-ID: <Z+b5AbGfzhP8oCm7@redhat.com>
MIME-Version: 1.0
In-Reply-To: <Z+b0Si8vUubnl/0D@ubby>
Content-Disposition: inline
From: Alexander Bokovoy via krbdev <krbdev@mit.edu>
Reply-To: Alexander Bokovoy <abokovoy@redhat.com>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Пят, 28 сак 2025, Nico Williams wrote:
>On Fri, Mar 28, 2025 at 09:01:33PM +0200, Alexander Bokovoy via krbdev wrote:
>> > That said, I don't have any evidence that IAKERB is being used in the
>> > environment it was designed for.
>>
>> My understanding is that at least Microsoft is not planning to apply any
>> additional logic to limit/handle local KDC knowledge beyond the basic
>> realm discovery. This comes from my discussion with Steve Syfuhs.
>> However, this also means that as long as the initiator logic we discuss
>> in this thread is based on the already existing
>> KRB_AP_ERR_IAKERB_KDC_{NO_RESPONSE,NOT_FOUND} messages, it would be
>> compatible, at least at the cost of possible KDC locator timeouts.
>
>Hmmm, well, if you've seen how "fun" it is to configure BYOD VPN access
>w/ Negotiate for apps and also for web proxies then I think one should
>prepare for having to add bandaids for painful situations.
>
>E.g., the iOS HTTP stack will acquire Kerberos credentials upon 401 but
>not upon 407, so 407s when you already have credentials work but if you
>don't already have credentials or they're expired then 407s fail.
>
>I could see the need to be able to deal with complex realm KDC access
>policies.
>
>Where's the latest IAKERB I-D?
I believe we are still at draft-ietf-kitten-iakerb-03, the latest
discussion was this thread on the kitten@:
[kitten] Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
in 2023 (https://mailarchive.ietf.org/arch/msg/kitten/VLOAFb4Furo4T4nr88FNrjXG6Gw/).
I haven't seen any update to 03 in the
https://github.com/kittenwg/iakerb, though.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
