• Last Post 18 May 2017
psbug posted this 18 May 2017

Hi Everyone,

I am working on project where there is a need to expose the Domain Controller (KDC service specifically) in DMZ. This domain is going to be separate one from our production with bunch of user accounts who will be connecting to some of our SSO enabled apps via internet (without VPN).

Is anyone in this mailing list have this sort of setup exist in their org? If yes, what security considerations you guys are following to secure KDC from external threats? How the user accounts are protected in that environment?

Are there any options to further secure the Kerberos traffic in that DMZ environment?

Would appreciate any feedback and suggestions.

Cheers, PR

a-ko posted this 18 May 2017

In this day and age for applications exposed to the internet you should probably be using some sort of Federation-based authentication, and not exposing Kerberos directly to the



It sounds like you’re not providing all of the info, but for a windows machine to work it needs significantly more than Kerberos open. Linux is less needy on this front, but poses

its own risks, particularly around password resets and keytab regeneration (although the assumption here is that you would expire these, but that’s not always configured/the case)