On 03/15/2017 11:39 AM, Osipov, Michael wrote: > So there is basically no way to tell MIT Kerberos if you home realm is > unable to route the request, it should try other realms, correct?
No; we have a fallback realm mechanism in the TGS client code, but it only tries one realm (determined by TXT records or DNS heuristics) and you can't configure a list. We haven't implemented a TGS realm search path because: 1. It's not completely secure, in that an attacker can forge error messages to make the client walk the list past the ideal destination for a given service. FAST TGS was supposed to fix this, but for various reasons it doesn't. 2. The TGS client code is already really complicated, and we're reluctant to add more complexity to code that is hard to understand as it is. 3. There are some caching concerns, which if left unaddressed would lead to a lot of repeated TGS requests to the earlier realms. That said, I'm told Heimdal recently added support for a feature like this, so if Microsoft does as well, that makes us the odd one out, and we should perhaps reconsider. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
