Kerberos and NAT - TechRepublic
General discussion
June 19, 2003 at 04:04 AM
fimos

Kerberos and NAT

by fimos . Updated 23 years, 1 month ago

Hello,
Does anyone have any insight into using Kerberos and Network Address translation for authentication against a number of different systems? The Kerberos 5 ticket response will contain IP addresses, as requested by the client system, form which the ticket is to be considered valid. As the services are on the public side of the NAT then the authentication fails because the addresses used by the NAT are not in the acceptable list of addresses.

There are a couple of known ways around this:
1. Have the public IP address in the tickets IP list,

2. Remove all IP addresses from the ticket.

Both of those lead to security problems and can ultimately result in unauthorized users being able to authenticate (not good)

So, any other ideas? I thought of using a proxy server as a go between, storing the K5 tickets and then issuing certificates to end users, not sure if that would work either though.

Thanks
-Lenny

This discussion is locked

All Comments