Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 476
  • Last Modified:

Kerberos 5 over a Natted IP Address::

Hi Experts,

I need to ask a question about Kerberos 5 (Windows 2000 AD Domain) over Natted IP. I have a lab environment that talks to production over Natted IP addresses.

Everything was working fine until we decided to implement an application that required Kerberos authentication. I understand that Kerberos tickets stamp themselves with the REAL IP address of the server that they are issues from. When they reach the destination server, since the IP address that is stamped into the ticket is not the NATTED IP addresss, the destination server rejects them.

After reading the RFC 3027 it appears that the only way to get around this is the either use a "pool" of IP addresses that can be incorporated into the kerberos ticket, or we use ticket-less kerberos which is unacceptable.

Does anybody know ANYTHING that can be done without compromising the ticket security?

We are using Cisco equiptment in both lab and production.
Active Directory 2000, Domain controllers are SP4a.

Please help!!
0
Harveyk
Asked:
Harveyk
  • 3
  • 2
1 Solution
 
rsivanandanCommented:
I'm afraid no!

Cheers,
Rajesh
0
 
HarveykAuthor Commented:
Thanks Rajesh! Well I guess that is that then heh.

I suppose the only way to do this would be to incorporate both IP addresses into every kerberos ticket created (I.e stamp the ticket with the REAL and NATTED IP address).

Question now becomes is, is there anyway to achieve this in a Windows 2000 Active Directory environment?

What tools would I need to do this?

Many thanks for all the help
0
 
rsivanandanCommented:
The thing is that there are a lot of problems faced with popular protocols like IPSEC, VOIP etc. So Cisco has incorporated 'fixup' for them so that the device takes care of these 'substitutions'! NAT-Traversal indeed is a head-ache.

In your case, I really don't know if this is supported or can even be done.

Cheers,
Rajesh
0
 
HarveykAuthor Commented:
Yes thats the problem I've seen so far. There is nothing in the Microsoft Kerberos arena that even shows how a ticket can be modified.

I think I know exactly what field I require to change in the tickets being issued by the DC (Host Addresses), but how to implement this in a Microsoft Kerberos ticket is something I cannot find anywhere on the net.

There are some articles that relate to stripping the Microsoft version of kerberos out and installing the MIT version, but thats something I don't really want to do.
0
 
rsivanandanCommented:
Yes I wouldn't suggest that either, reason being you want support for your machines from M$. Once you strip off, then you are off the contract :-(

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now