1.3 Overview

Kerberos V5 [RFC4120] requires client connectivity to the Key Distribution Center (KDC) for authentication. Kerberos Key Distribution Center (KDC) Proxy Protocol (KKDCP) provides a mechanism for a client to use a KKDCP server to change passwords and securely obtain Kerberos service tickets. The KKDCP client sends Kerberos messages using HTTPS to the KKDCP server. The KKDCP server locates a KDC for the request and sends the request to the KDC on behalf of the Kerberos V5 client. Since the messages received by the KDC are Kerberos messages, the KDC does not have a role in KKDCP. Once the KKDCP server receives the response from the KDC it sends the Kerberos message using HTTPS to the KKDCP client.

Figure 1: Messages between client, server, and KDC