Initial and Pass Through Authentication Using Kerberos V5 and GSS-API (IAKERB)

Document Type Expired Internet-Draft (krb-wg WG)
Last updated 2004-02-13 (latest revision 2002-10-07)
Stream IETF
Intended RFC status Proposed Standard
Expired & archived
pdf htmlized bibtex
Stream WG state Dead WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired (IESG: Dead)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to <>

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document defines extensions to the Kerberos protocol specification (RFC 1510 [1]) and GSSAPI Kerberos protocol mechanism (RFC 1964 [2]) that enables a client to obtain Kerberos tickets for services where the KDC is not accessible to the client, but is accessible to the application server. Some common scenarios where lack of accessibility would occur are when the client does not have an IP address prior to authenticating to an access point, the client is unable to locate a KDC, or a KDC is behind a firewall. The document specifies two protocols to allow a client to exchange KDC messages (which are GSS encapsulated) with an IAKERB proxy instead of a KDC.


Bernard Aboba (
Glen Zorn (
Jonathan Trostle (
Michael Swift (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)