Kerberos 5 over a Natted IP Address::

Posted on 2006-06-13
Last Modified: 2010-03-18
Hi Experts,

I need to ask a question about Kerberos 5 (Windows 2000 AD Domain) over Natted IP. I have a lab environment that talks to production over Natted IP addresses.

Everything was working fine until we decided to implement an application that required Kerberos authentication. I understand that Kerberos tickets stamp themselves with the REAL IP address of the server that they are issues from. When they reach the destination server, since the IP address that is stamped into the ticket is not the NATTED IP addresss, the destination server rejects them.

After reading the RFC 3027 it appears that the only way to get around this is the either use a "pool" of IP addresses that can be incorporated into the kerberos ticket, or we use ticket-less kerberos which is unacceptable.

Does anybody know ANYTHING that can be done without compromising the ticket security?

We are using Cisco equiptment in both lab and production.
Active Directory 2000, Domain controllers are SP4a.

Please help!!
Question by:Harveyk
  • 3
  • 2
LVL 32

Expert Comment

ID: 16896026
I'm afraid no!


Author Comment

ID: 16991291
Thanks Rajesh! Well I guess that is that then heh.

I suppose the only way to do this would be to incorporate both IP addresses into every kerberos ticket created (I.e stamp the ticket with the REAL and NATTED IP address).

Question now becomes is, is there anyway to achieve this in a Windows 2000 Active Directory environment?

What tools would I need to do this?

Many thanks for all the help
LVL 32

Expert Comment

ID: 16993314
The thing is that there are a lot of problems faced with popular protocols like IPSEC, VOIP etc. So Cisco has incorporated 'fixup' for them so that the device takes care of these 'substitutions'! NAT-Traversal indeed is a head-ache.

In your case, I really don't know if this is supported or can even be done.


Author Comment

ID: 17000098
Yes thats the problem I've seen so far. There is nothing in the Microsoft Kerberos arena that even shows how a ticket can be modified.

I think I know exactly what field I require to change in the tickets being issued by the DC (Host Addresses), but how to implement this in a Microsoft Kerberos ticket is something I cannot find anywhere on the net.

There are some articles that relate to stripping the Microsoft version of kerberos out and installing the MIT version, but thats something I don't really want to do.
LVL 32

Accepted Solution

rsivanandan earned 500 total points
ID: 17001464
Yes I wouldn't suggest that either, reason being you want support for your machines from M$. Once you strip off, then you are off the contract :-(


Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now