I am not sure that my statement is right here. If I am wrong, please correct me.
As Kerberos protocol works atop of TCP protocol. Kerberos protocol has its own different implementation such MIT Kerberos. And on top of Kerberos, there is a virtual layer SASL - simple authentication and security layer, this SASL layer can use different mechanism including Kerberos. There is a up layer implementation called GSSAPI - generic security system API. It also holds different mechanisms underneath including Kerberos. no sure the relation ship between SASL and GSSAPI. Per my understanding about Kerberos implementation, it is all inside the TCP. I haven't checked the implementation but I guess that Kerberos TGT is sent by the client to the kerberized service over TCP. My question is how does this happen in a Proxy-in-the-middle environment? How does the kerberized service know that the Proxy-in-the-middle is trusted, and which client the request is from? In the client side, how can the client know where the kerberized service is and where is the Proxy-in-the-middle? Regards, Dong ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
