If Alice can share a key with the KDC then Alice can be issued a service principal name and act as part of the realm.
Jeffrey Altman Florian Frankenberger wrote: > Thank you, Mike. > > In my case, Alice isn't running in a domain at all. That's why I have to > implement the check for authenticity on Alice's side in my own way. So what > about the idea of having the service ticket encrypted with the symmetric key > that only the KDC and Alice know? Doesn't this mean a kind of secure proof of > authentcity to Alice if the ticket passed by Bob can be decrypted with the > shared secret key? > Or is it simply impossible to get a service ticket for a service that doesn't > exist in this or any other domain? > > > -----Ursprungliche Nachricht----- > Von: Michael B Allen [mailto:[EMAIL PROTECTED] > Gesendet: Montag, 21. August 2006 20:49 > An: Florian Frankenberger > Cc: [email protected] > Betreff: Re: Using a Kerberized application outside the Kerberos Realm > > > On Mon, 21 Aug 2006 18:40:28 +0200 > "Florian Frankenberger" <[EMAIL PROTECTED]> wrote: > >> My problem is that Alice is not in the domain in which the KDC is running. >> To be more precise, the KDC and the service Alice are set up in different >> network environments and thus do not know each other. >> Is it possible to create a kerberized service that is not part of the >> Kerberos realm? If yes, what do I have to do? > > Alice and Bob have to be in the same realm or in separate realms that > have a trust established between them. Otherwise the is no basis for > establishing trust between Alice and Bob. Kerberos is a "thrid party > authentication system" so there needs to be someone both principals trust. > >> I thought of sharing the symmetric service key between the KDC and Alice. To >> do so, I tried to create the service Alice with ktpass, give the so created >> encryption key to Alice and let Alice decrypt the service tickets, that will >> be delivered by Bobs later. >> >> Is this procedure possibly in theory? Does anyone know how to obtain the >> service ticket by using JAAS? I only managed to get the TGT. > > If Bob requests a ticket for ALICESVC/[EMAIL PROTECTED] then > even if Bob is [EMAIL PROTECTED] he should have no problem looking up the > KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust > relationship would be required between AI-AG.DE and AI-AG.US. > > Mike > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
