[OpenAFS] Re: authenticating using AD servers hidden behind firewall
Sat, 09 Jun 2012 01:47:32 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
On 6/8/2012 9:27 AM, Derek Atkins wrote:
> John Tang Boyland <email@example.com> writes:
>> Our institution uses "Shibboleth" for off campus authentication,
>> since it keeps the AD (and thus kerberos) servers hidden behind
>> a firewall. Does anyone know how to have OpenAFS use Shibboleth
>> for authentication?
> Is there any reason you can't just open port 88 on the firewall to allo=
> Kerberos through? Kerberos *is* a security protocol afterall, there is=
> no real reason to hide your Kerberos server completely behind a
I suspect that in this case John is in no position to advise central
campus IT security on how the firewall and active directory deployments
should be managed. John is simply in the position of managing a
departmental afs cell and needing to work within the constraints of the
However, that being said. Microsoft's advice is to firewall all ports
on an active directory server and rely upon VPNs to access them when
necessary. In order to authenticate the VPN via Kerberos, GSS IAKERB
has been developed to permit the authentication requests to be proxied
via the GSS acceptor.
Even outside the Microsoft world, it is becoming more common for large
enterprises to only expose a subset of the KDB contents outside the
firewall. This may be done to ensure that certain principal names are
not visible or to restrict the set of available keys.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----