Kerberos referrals

Schedule

• Refresh draft and publish before interim meeting

• Current date - December 20(tentative)

Basic referral mechanism

• Motivation– Client config changes are not scalable– MS deployments are heavily cross realm

oriented

• Mechanism– KDC issues referrals– Client chases referrals

AS referrals

• Client uses KRB-NT-ENTERPRISE in request

• Client sets ‘canonicalize’

• KDC returns– KRB-NT-PRINCIPAL if name found– KDC_ERR_WRONG_REALM if referral– KDC_ERR_C_PRINCIPAL_UNKNOWN

TGS referrals

• Client sends TGS-REQ with ‘canonicalize’

• KDC returns TGS-REP– with service ticket if service found– Cross realm TGT if the service in another

realm

Issues

• Referrals and canonicalization

• Client name canonicalization issues– Possible issues with name based access

control– Can only get canonicalization when

authenticating