>Looking at Apple documentation I see the support for something I had >never heard of: Kerberos Key Distribution Center Proxy. > >Looks like a solution to encapsulate Kerberos requests into an HTTPS. > >Any experience on this here?
I personally have not used that, but I know that MIT Kerberos supports that (as far as I can tell, that protocol exists just because firewall people are dumb, but that's neither here nor there). That contains a wrapper ASN.1 structure which has the target realm in it so you could use that for routing (although the target domain is listed as an optional element to the KDC_PROXY_MESSAGE so that suggests to me you can't rely on it). So you're still going to have to write code to parse an ASN.1 structure to do backend routing. It does occur to me that maybe if you have different KDC hostnames but the same IP address you could use TLS SNI or hostname routing which you indicated you already use and maybe that would be simpler? That presumes the client implementations set the SNI field (I see that it does send a "Host" header, and it looks like MIT Kerberos does set the SNI hostname). --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
