David Lawler Christiansen (NT) wrote: > Standard Disclaimer: Speaking for myself, not necessarily my employer.
Ditto :) [...] >> > > It's true that you can't get the token information out of the ticket if > the KDC cannot generate a PAC (presumeably because it is not an MS KDC). > > However, this doesn't render your server useless. What it does do is > deprive you of the benefits that a Windows Domain grants you, which go > far beyond just Kerberos authentication. The server itself is just as > configurable and useful as it was before-- you just have to manage it > differently. I disagree with this point - by making it much more cumbersome to administer and removing it from the Windows Domain, the incentive to use anything other than MS as the KDC is eliminated. > For example, Windows Domains have Group Policy, which enables you to > make sweeping changes within your domain in a convenient manner. Those > changes can be made without group policy-- it's just not as easy. "Its just not as easy" is the key point here. Ease of use is a primary motivator in the marketplace. >>Not being able >>to actually write software to generate the PAC field from a >>non-MS server is the root of this problem. >> > > You don't NEED the PAC to interop with us. That's by design in RFC1510. > The point is, at the protocol level, all clients (us included) work fine > without it. Yes, it may make some domain-level features in Windows > harder to use, but those features are not part of Kerberos and don't > have anything to do with interop (IMHO). > You used Kerberos and extended into other parts of the OS, thus making them at least partially relevant here. If one can only access certain Kerberized features of your system by using your own Kerberos implementation then you can't claim interoperability with everyone. I suppose there is a semantic argument here about whether we are talking about the Kerberos Protocol itself (RFC 1510) or the suite of Kerberos software in the public domain (MIT KRB5 for example). Yes, you are using the protocol correctly, no argument there. [...] > >>The short answer it, if you want a Kerberized network with a >>mixture of Microsoft and non-Microsoft software, you better >>let MS be the KDC or else you forefeit alot of the nice MS >>features. Its a backhanded way of forcing people to choose >>your tools. >> >>-Wyllys >> > > No. We intend for people to "choose our tools" because our tools meet > their needs in ways that other tools do not. This may be by > implementing features nobody else has, or implementing them better. > Providing a better story in their particular environment, or it might > even be because of something else not directly related to the product, > like better customer service. But you arent allowing people to make this comparison on an apples-to-apples basis. By removing domain features and making it much more cumbersome to administer your own systems, the scales are wieghted much more heavily in your own favor. Its a smart business move on your part, but it generates ill-will because the whole thing is based on an open standard. -Wyllys
