Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Kerberos 5 over a Natted IP Address::

Posted on 2006-06-13
8
Medium Priority
?
459 Views
Last Modified: 2010-03-18
Hi Experts,

I need to ask a question about Kerberos 5 (Windows 2000 AD Domain) over Natted IP. I have a lab environment that talks to production over Natted IP addresses.

Everything was working fine until we decided to implement an application that required Kerberos authentication. I understand that Kerberos tickets stamp themselves with the REAL IP address of the server that they are issues from. When they reach the destination server, since the IP address that is stamped into the ticket is not the NATTED IP addresss, the destination server rejects them.

After reading the RFC 3027 it appears that the only way to get around this is the either use a "pool" of IP addresses that can be incorporated into the kerberos ticket, or we use ticket-less kerberos which is unacceptable.

Does anybody know ANYTHING that can be done without compromising the ticket security?

We are using Cisco equiptment in both lab and production.
Active Directory 2000, Domain controllers are SP4a.

Please help!!
0
Comment
Question by:Harveyk
  • 3
  • 2
8 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16896026
I'm afraid no!

Cheers,
Rajesh
0
 

Author Comment

by:Harveyk
ID: 16991291
Thanks Rajesh! Well I guess that is that then heh.

I suppose the only way to do this would be to incorporate both IP addresses into every kerberos ticket created (I.e stamp the ticket with the REAL and NATTED IP address).

Question now becomes is, is there anyway to achieve this in a Windows 2000 Active Directory environment?

What tools would I need to do this?

Many thanks for all the help
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16993314
The thing is that there are a lot of problems faced with popular protocols like IPSEC, VOIP etc. So Cisco has incorporated 'fixup' for them so that the device takes care of these 'substitutions'! NAT-Traversal indeed is a head-ache.

In your case, I really don't know if this is supported or can even be done.

Cheers,
Rajesh
0
 

Author Comment

by:Harveyk
ID: 17000098
Yes thats the problem I've seen so far. There is nothing in the Microsoft Kerberos arena that even shows how a ticket can be modified.

I think I know exactly what field I require to change in the tickets being issued by the DC (Host Addresses), but how to implement this in a Microsoft Kerberos ticket is something I cannot find anywhere on the net.

There are some articles that relate to stripping the Microsoft version of kerberos out and installing the MIT version, but thats something I don't really want to do.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 17001464
Yes I wouldn't suggest that either, reason being you want support for your machines from M$. Once you strip off, then you are off the contract :-(

Cheers,
Rajesh
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question