1

I have configured and enabled an environment that does seamless X.509 / Kerberos authentication for iOS devices. The security concern is the KDC needs to be exposed to the public internet for this to work. I'm trying to determine the best way to mitigate this.

I'm thinking of deploying a "slave" KDC in the cloud that only has the user public certificates, which would have a VPN connection to the domain controller/kdc to the corporate network. Both KDCs would be on separate realms, and since the issued service tickets would come from the public KDC, they couldn't be used to do anything malicious in the corporate private KDC (if they were to gain access to the network).

Would this work? How would I go about getting those two KDCs talking to each other?

Note: I have a SAML SSO system in this mix as well, which federates the successful authentication to other systems.

jekennedy
  • 113
  • 3

1 Answers1

2

See also on Security.SE:

I don't see what a copy of the KDC on the private network gains you. Kerberos was intended for untrusted networks from the beginning.

Secure it like you would a database of hashed passwords. Run the KDC facing the Internet with the minimum of services and the maximum of scrutiny on logins and network traffic. Perhaps commission a penetration test to have a third party look for flaws you do not see.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • I see your point. One of the main reasons for separating them is to have two different realms, so tickets received from the public KDC couldn't be used against any services from the internal KDC (assuming the user could gain access to the internal network). – jekennedy Mar 14 '19 at 14:05
  • What if any trust relationships do you want between the realms? I thought the only reason one wasn't Internet facing was for network security. In which case you only need the one public KDC. – John Mahowald Mar 14 '19 at 18:11