On Fri, Nov 28, 2014 at 1:15 AM, Rick van Rein <r...@openfortress.nl> wrote:
> Hey, > > > There were numerous advantages to this approach for our environment, > however we never deployed it. I should have written a brief paper at the > time. > > You still may ;-) > > It would require a new SRV record, and it would confuse Kerberos clients, > I suspect. But it’s an interesting angle. > IIRC, we were going to remove the traditional AS altogether. So a standard client would need a TGT to start with (retrieved from the TGS, I don't recall if this was a special case or just treated as an ordinary ticket) and would only have to or be able to interact with the TGS. Now I remember the primary advantage -- more extensibility and choices (even dynamic) of initial authentication methods. But this also led to follow-on advantages. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
