Skip Menu |

Date: Sat, 13 Feb 2021 13:23:42 +0200
From: "Дилян Палаузов" <>
Subject: HTTPS client proxy zero configuration
To: "krb5-bugs" <>
states that the Kerberos clients can discover KDC using URI DNS RR. In
particular that it can use by default - without additional client side
configuration - HTTPS proxy to get a ticket. As example it shows the

_kerberos.EXAMPLE.COM URI 30 1 krb5srv::kkdcp:https://proxy:89/auth

where kkdcp means the MS-KKDCP type (I do not know what kkdcp is).
Configure the client to access the KDC and kpasswd service by
specifying their locations in its krb5.conf file in the form of HTTPS
URLs for the proxy server:

kdc = https://server.fqdn/KdcProxy
kpasswd_server = https://server.fqdn/KdcProxy

If the proxy and client are properly configured, client commands such
as kinit, kvno, and kpasswd should all function normally.

• Please amend the “client configuration” to state, that with URI+HTTPS
records no explicit client configuration is necessary for the HTTPS