Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB)
draft-ietf-kitten-iakerb-03
NETWORK WORKING GROUP B. Kaduk, Ed.
Internet-Draft Akamai
Updates: 4120,4121 (if approved) J. Schaad, Ed.
Intended status: Standards Track Soaring Hawk Consulting
Expires: October 1, 2017 L. Zhu
Microsoft Corporation
J. Altman
Secure Endpoints
March 30, 2017
Initial and Pass Through Authentication Using Kerberos V5 and the GSS-
API (IAKERB)
draft-ietf-kitten-iakerb-03
Abstract
This document defines extensions to the Kerberos protocol and the
GSS-API Kerberos mechanism that enable a GSS-API Kerberos client to
exchange messages with the KDC by using the GSS-API acceptor as a
proxy, encapsulating the Kerberos messages inside GSS-API tokens.
With these extensions a client can obtain Kerberos tickets for
services where the KDC is not accessible to the client, but is
accessible to the application server.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 1, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
Kaduk, et al. Expires October 1, 2017 [Page 1]
Internet-Draft IAKERB March 2017
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. GSS-API Encapsulation . . . . . . . . . . . . . . . . . . . . 3
3.1. Enterprise principal names . . . . . . . . . . . . . . . 6
4. Finish Message . . . . . . . . . . . . . . . . . . . . . . . 7
5. Addresses in Tickets . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. Assigned Numbers . . . . . . . . . . . . . . . . . . . . . . 10
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1. Normative References . . . . . . . . . . . . . . . . . . 10
10.2. Informative references . . . . . . . . . . . . . . . . . 11
Appendix A. Interoperate with Previous MIT version . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
When authenticating using Kerberos V5, clients obtain tickets from a
KDC and present them to services. This model of operation cannot
work if the client does not have access to the KDC. For example, in
remote access scenarios, the client must initially authenticate to an
access point in order to gain full access to the network. Here the
client may be unable to directly contact the KDC either because it
does not have an IP address, or the access point packet filter does
not allow the client to send packets to the Internet before it
authenticates to the access point. The Initial and Pass Through
Authentication Using Kerberos (IAKERB) mechanism allows for the use
of Kerberos in such scenarios where the client is unable to directly
contact the KDC, by using the service to pass messages between the
Show full document text