Solved

Kerberos 5 over a Natted IP Address::

Posted on 2006-06-13
8
449 Views
Last Modified: 2010-03-18
Hi Experts,

I need to ask a question about Kerberos 5 (Windows 2000 AD Domain) over Natted IP. I have a lab environment that talks to production over Natted IP addresses.

Everything was working fine until we decided to implement an application that required Kerberos authentication. I understand that Kerberos tickets stamp themselves with the REAL IP address of the server that they are issues from. When they reach the destination server, since the IP address that is stamped into the ticket is not the NATTED IP addresss, the destination server rejects them.

After reading the RFC 3027 it appears that the only way to get around this is the either use a "pool" of IP addresses that can be incorporated into the kerberos ticket, or we use ticket-less kerberos which is unacceptable.

Does anybody know ANYTHING that can be done without compromising the ticket security?

We are using Cisco equiptment in both lab and production.
Active Directory 2000, Domain controllers are SP4a.

Please help!!
0
Comment
Question by:Harveyk
  • 3
  • 2
8 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16896026
I'm afraid no!

Cheers,
Rajesh
0
 

Author Comment

by:Harveyk
ID: 16991291
Thanks Rajesh! Well I guess that is that then heh.

I suppose the only way to do this would be to incorporate both IP addresses into every kerberos ticket created (I.e stamp the ticket with the REAL and NATTED IP address).

Question now becomes is, is there anyway to achieve this in a Windows 2000 Active Directory environment?

What tools would I need to do this?

Many thanks for all the help
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16993314
The thing is that there are a lot of problems faced with popular protocols like IPSEC, VOIP etc. So Cisco has incorporated 'fixup' for them so that the device takes care of these 'substitutions'! NAT-Traversal indeed is a head-ache.

In your case, I really don't know if this is supported or can even be done.

Cheers,
Rajesh
0
 

Author Comment

by:Harveyk
ID: 17000098
Yes thats the problem I've seen so far. There is nothing in the Microsoft Kerberos arena that even shows how a ticket can be modified.

I think I know exactly what field I require to change in the tickets being issued by the DC (Host Addresses), but how to implement this in a Microsoft Kerberos ticket is something I cannot find anywhere on the net.

There are some articles that relate to stripping the Microsoft version of kerberos out and installing the MIT version, but thats something I don't really want to do.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17001464
Yes I wouldn't suggest that either, reason being you want support for your machines from M$. Once you strip off, then you are off the contract :-(

Cheers,
Rajesh
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
An article on effective troubleshooting
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question