1.. _https: 2 3HTTPS proxy configuration 4========================= 5 6In addition to being able to use UDP or TCP to communicate directly 7with a KDC as is outlined in RFC4120, and with kpasswd services in a 8similar fashion, the client libraries can attempt to use an HTTPS 9proxy server to communicate with a KDC or kpasswd service, using the 10protocol outlined in [MS-KKDCP]. 11 12Communicating with a KDC through an HTTPS proxy allows clients to 13contact servers when network firewalls might otherwise prevent them 14from doing so. The use of TLS also encrypts all traffic between the 15clients and the KDC, preventing observers from conducting password 16dictionary attacks or from observing the client and server principals 17being authenticated, at additional computational cost to both clients 18and servers. 19 20An HTTPS proxy server is provided as a feature in some versions of 21Microsoft Windows Server, and a WSGI implementation named `kdcproxy` 22is available in the python package index. 23 24 25Configuring the clients 26----------------------- 27 28To use an HTTPS proxy, a client host must trust the CA which issued 29that proxy's SSL certificate. If that CA's certificate is not in the 30system-wide default set of trusted certificates, configure the 31following relation in the client host's :ref:`krb5.conf(5)` file in 32the appropriate :ref:`realms` subsection:: 33 34 http_anchors = FILE:/etc/krb5/cacert.pem 35 36Adjust the pathname to match the path of the file which contains a 37copy of the CA's certificate. The `http_anchors` option is documented 38more fully in :ref:`krb5.conf(5)`. 39 40Configure the client to access the KDC and kpasswd service by 41specifying their locations in its :ref:`krb5.conf(5)` file in the form 42of HTTPS URLs for the proxy server:: 43 44 kdc = https://server.fqdn/KdcProxy 45 kpasswd_server = https://server.fqdn/KdcProxy 46 47If the proxy and client are properly configured, client commands such 48as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. 49