Hi, I was also surprised about the fear of opening a KDC up to the public, but...
> The idea of making the Active Directory > server reachable from the public internet is simply frightening to them. …in this specific vendor case I can imagine. The closedness of the code, combined with the track record of this particular vendor in security matters would make me think again. That is perhaps FUD-based reasoning. > http://technet.microsoft.com/en-us/library/dn509513.aspx > > The key quote here: > > Domain controllers and AD FS servers should never be exposed > directly to the Internet and should only be reachable through the > VPN connection. This is a very general statement, and is too broad to conclude that the Kerberos5 p[ao]rt should be confined to a LAN. > Also, I suspect that many AD administrators don't see the need; why > would you ever take a managed computer outside of the intranet? The modern keyword “mobility” springs to mind… And of course “SSO” as a clinching argument for users… -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
