[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.5.2 and v4 cross-realm

"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> Correct me if I'm wrong, but as I understand cross-realm
> authentication the user requests the cross-realm ticket of his own
> KDC, which obtains them on his behalf and forwards them back to
> him. In other words cross-realm ticket requests always originate from
> the other realm's KDC, not directly from the user.

No. The client realises that the requested service is in an other
realm, and then requests a cross-realm ticket for the other realm from
its own KDC. The client then uses that ticket to talk to a KDC in the
other realm.

It's only the client that talk to the KDC, KDCs and other servers
(the KDC just just a kerberised service) never do.