Kerberos authentication, service host and access to KDC

I have a web application (hostname: service.domain.com) and I wish to use Kerberos authentication to identify users that are logged into a Windows domain. Microsoft AD (Windows Server 2008 R2) is providing the Kerberos service.

The service is a Java web application using Spring Security Kerberos extension library to implement SPNEGO/Kerberos protocol. I have created a keytab file in AD that contains a shared secret that should be enough to authenticate Kerberos tickets that are sent by the client browsers using the web application.

My question is, is service host (service.domain.com) required to have firewall access (TCP/UDP 88) to KDC (kdc.domain.com) or is the keytab file enough for the service host to be able to decrypt the Kerberos tickets and provide authentication?

Solution 1:

The service never needs to talk to the KDC. It needs a keytab generated by the KDC, but that you can copy over any way you want. They never have to talk to each other.

An overly simplified version of what I believe goes on goes more or less like this:

Setting up the service

• KDC generates a service keytab (which is something like a secret key/password if you like)
• this keytab is provided to the service some way (scp or carried on a USB stick if you want)

Client connecting to the service

• client requests a service ticket from the KDC
• KDC generates a service ticket, which contains some information that can only be decrypted by the service keytab (this is the file that sits on your server)
• client sends its service ticket to the service
• the service uses its keytab to verify the ticket (no network communication necessary)