Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB)
draft-ietf-kitten-iakerb-03

Document Type Active Internet-Draft (kitten WG)
Last updated 2017-03-30
Replaces draft-ietf-krb-wg-iakerb
Stream IETF
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
NETWORK WORKING GROUP                                      B. Kaduk, Ed.
Internet-Draft                                                    Akamai
Updates: 4120,4121 (if approved)                          J. Schaad, Ed.
Intended status: Standards Track                 Soaring Hawk Consulting
Expires: October 1, 2017                                          L. Zhu
                                                   Microsoft Corporation
                                                               J. Altman
                                                        Secure Endpoints
                                                          March 30, 2017

 Initial and Pass Through Authentication Using Kerberos V5 and the GSS-
                              API (IAKERB)
                      draft-ietf-kitten-iakerb-03

Abstract

   This document defines extensions to the Kerberos protocol and the
   GSS-API Kerberos mechanism that enable a GSS-API Kerberos client to
   exchange messages with the KDC by using the GSS-API acceptor as a
   proxy, encapsulating the Kerberos messages inside GSS-API tokens.
   With these extensions a client can obtain Kerberos tickets for
   services where the KDC is not accessible to the client, but is
   accessible to the application server.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 1, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Kaduk, et al.            Expires October 1, 2017                [Page 1]
Internet-Draft                   IAKERB                       March 2017

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
   3.  GSS-API Encapsulation . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Enterprise principal names  . . . . . . . . . . . . . . .   6
   4.  Finish Message  . . . . . . . . . . . . . . . . . . . . . . .   7
   5.  Addresses in Tickets  . . . . . . . . . . . . . . . . . . . .   8
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  Assigned Numbers  . . . . . . . . . . . . . . . . . . . . . .  10
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  10
     10.2.  Informative references . . . . . . . . . . . . . . . . .  11
   Appendix A.  Interoperate with Previous MIT version . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   When authenticating using Kerberos V5, clients obtain tickets from a
   KDC and present them to services.  This model of operation cannot
   work if the client does not have access to the KDC.  For example, in
   remote access scenarios, the client must initially authenticate to an
   access point in order to gain full access to the network.  Here the
   client may be unable to directly contact the KDC either because it
   does not have an IP address, or the access point packet filter does
   not allow the client to send packets to the Internet before it
   authenticates to the access point.  The Initial and Pass Through
   Authentication Using Kerberos (IAKERB) mechanism allows for the use
   of Kerberos in such scenarios where the client is unable to directly
   contact the KDC, by using the service to pass messages between the
Show full document text