I need to ask a question about Kerberos 5 (Windows 2000 AD Domain) over Natted IP. I have a lab environment that talks to production over Natted IP addresses.
Everything was working fine until we decided to implement an application that required Kerberos authentication. I understand that Kerberos tickets stamp themselves with the REAL IP address of the server that they are issues from. When they reach the destination server, since the IP address that is stamped into the ticket is not the NATTED IP addresss, the destination server rejects them.
After reading the RFC 3027 it appears that the only way to get around this is the either use a "pool" of IP addresses that can be incorporated into the kerberos ticket, or we use ticket-less kerberos which is unacceptable.
Does anybody know ANYTHING that can be done without compromising the ticket security?
We are using Cisco equiptment in both lab and production.
Active Directory 2000, Domain controllers are SP4a.