Kerberos 5 over a Natted IP Address::

Posted on 2006-06-13
Last Modified: 2010-03-18
Hi Experts,

I need to ask a question about Kerberos 5 (Windows 2000 AD Domain) over Natted IP. I have a lab environment that talks to production over Natted IP addresses.

Everything was working fine until we decided to implement an application that required Kerberos authentication. I understand that Kerberos tickets stamp themselves with the REAL IP address of the server that they are issues from. When they reach the destination server, since the IP address that is stamped into the ticket is not the NATTED IP addresss, the destination server rejects them.

After reading the RFC 3027 it appears that the only way to get around this is the either use a "pool" of IP addresses that can be incorporated into the kerberos ticket, or we use ticket-less kerberos which is unacceptable.

Does anybody know ANYTHING that can be done without compromising the ticket security?

We are using Cisco equiptment in both lab and production.
Active Directory 2000, Domain controllers are SP4a.

Please help!!
Question by:Harveyk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 32

Expert Comment

ID: 16896026
I'm afraid no!


Author Comment

ID: 16991291
Thanks Rajesh! Well I guess that is that then heh.

I suppose the only way to do this would be to incorporate both IP addresses into every kerberos ticket created (I.e stamp the ticket with the REAL and NATTED IP address).

Question now becomes is, is there anyway to achieve this in a Windows 2000 Active Directory environment?

What tools would I need to do this?

Many thanks for all the help
LVL 32

Expert Comment

ID: 16993314
The thing is that there are a lot of problems faced with popular protocols like IPSEC, VOIP etc. So Cisco has incorporated 'fixup' for them so that the device takes care of these 'substitutions'! NAT-Traversal indeed is a head-ache.

In your case, I really don't know if this is supported or can even be done.


Author Comment

ID: 17000098
Yes thats the problem I've seen so far. There is nothing in the Microsoft Kerberos arena that even shows how a ticket can be modified.

I think I know exactly what field I require to change in the tickets being issued by the DC (Host Addresses), but how to implement this in a Microsoft Kerberos ticket is something I cannot find anywhere on the net.

There are some articles that relate to stripping the Microsoft version of kerberos out and installing the MIT version, but thats something I don't really want to do.
LVL 32

Accepted Solution

rsivanandan earned 500 total points
ID: 17001464
Yes I wouldn't suggest that either, reason being you want support for your machines from M$. Once you strip off, then you are off the contract :-(


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question