Hello,
Does anyone have any insight into using Kerberos and Network Address translation for authentication against a number of different systems? The Kerberos 5 ticket response will contain IP addresses, as requested by the client system, form which the ticket is to be considered valid. As the services are on the public side of the NAT then the authentication fails because the addresses used by the NAT are not in the acceptable list of addresses.
There are a couple of known ways around this:
1. Have the public IP address in the tickets IP list,
2. Remove all IP addresses from the ticket.
Both of those lead to security problems and can ultimately result in unauthorized users being able to authenticate (not good)
So, any other ideas? I thought of using a proxy server as a go between, storing the K5 tickets and then issuing certificates to end users, not sure if that would work either though.
Thanks
-Lenny