The Windows 2000 Kerberos implementation [1, 2] uses a di erent approach to solve the Kerberos realm resolution problem than has traditionally been used by MIT Kerberos implementations. In this paper, we present the details of the two approaches and compare them. To facilitate more e ective use of the Kerberos ticket cache, we propose a new format for referral data that includes a list of alias names as part of the returned referral information. We include the pseudocode for the algorithm that we have implemented in the MIT Kerberos client that allows a MIT Kerberos client to request and follow referrals from a Windows 2000 Kerberos KDC, thus removing the need for management and administration of DNS to realm mapping les on Kerberos client hosts. We conclude with a discussion of issues that are applicable to any mutual authentication protocol.
[1]
Tim Howes,et al.
Internet X.509 Public Key Infrastructure LDAPv2 Schema
,
1999,
RFC.
[2]
Clifford Neuman,et al.
Public Key Cryptography for Cross-Realm Authentication in Kerberos
,
2001
.
[3]
Donald E. Eastlake,et al.
Domain Name System Security Extensions
,
1997,
RFC.
[4]
Roger M. Needham,et al.
Using encryption for authentication in large networks of computers
,
1978,
CACM.
[5]
G. G. Stokes.
"J."
,
1890,
The New Yale Book of Quotations.
[6]
John T. Kohl,et al.
The Kerberos Network Authentication Service (V5
,
2004
.
[7]
Paul V. Mockapetris,et al.
Domain names - concepts and facilities
,
1987,
RFC.