Skip to main content

Initial and Pass Through Authentication Using Kerberos V5 and GSS-API (IAKERB)

Document Type Expired Internet-Draft (krb-wg WG)
Authors Dr. Bernard D. Aboba , Glen Zorn , Dr. Jonathan Trostle , Michael Swift
Last updated 2004-02-13 (Latest revision 2002-10-07)
Stream Internet Engineering Task Force (IETF)
Intended RFC status Proposed Standard
Expired & archived
plain text htmlized pdfized bibtex
Stream WG state Dead WG Document
Document shepherd (None)
IESG IESG state Expired (IESG: Dead)
Action Holders
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD Russ Housley
Send notices to <>
This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at:


This document defines extensions to the Kerberos protocol specification (RFC 1510 [1]) and GSSAPI Kerberos protocol mechanism (RFC 1964 [2]) that enables a client to obtain Kerberos tickets for services where the KDC is not accessible to the client, but is accessible to the application server. Some common scenarios where lack of accessibility would occur are when the client does not have an IP address prior to authenticating to an access point, the client is unable to locate a KDC, or a KDC is behind a firewall. The document specifies two protocols to allow a client to exchange KDC messages (which are GSS encapsulated) with an IAKERB proxy instead of a KDC.


Dr. Bernard D. Aboba
Glen Zorn
Dr. Jonathan Trostle
Michael Swift

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)