KDC in DMZ?

  • 6 Views
  • Last Post 6 days ago
psbug posted this 6 days ago

Hi Everyone,

I am working on project where there is a need to expose the Domain Controller (KDC service specifically) in DMZ. This domain is going to be separate one from our production with bunch of user accounts who will be connecting to some of our SSO enabled apps via internet (without VPN).

Is anyone in this mailing list have this sort of setup exist in their org? If yes, what security considerations you guys are following to secure KDC from external threats? How the user accounts are protected in that environment?

Are there any options to further secure the Kerberos traffic in that DMZ environment?

Would appreciate any feedback and suggestions.



Cheers, PR

a-ko posted this 6 days ago

In this day and age for applications exposed to the internet you should probably be using some sort of Federation-based authentication, and not exposing Kerberos directly to the

Internet.

 

It sounds like you’re not providing all of the info, but for a windows machine to work it needs significantly more than Kerberos open. Linux is less needy on this front, but poses

its own risks, particularly around password resets and keytab regeneration (although the assumption here is that you would expire these, but that’s not always configured/the case)

 

show

Close