.. _https:

HTTPS proxy configuration

=========================

In addition to being able to use UDP or TCP to communicate directly

with a KDC as is outlined in RFC4120, and with kpasswd services in a

similar fashion, the client libraries can attempt to use an HTTPS

proxy server to communicate with a KDC or kpasswd service, using the

protocol outlined in [MS-KKDCP].

Communicating with a KDC through an HTTPS proxy allows clients to

contact servers when network firewalls might otherwise prevent them

from doing so.  The use of TLS also encrypts all traffic between the

clients and the KDC, preventing observers from conducting password

dictionary attacks or from observing the client and server principals

being authenticated, at additional computational cost to both clients

and servers.

An HTTPS proxy server is provided as a feature in some versions of

Microsoft Windows Server, and a WSGI implementation named `kdcproxy`

is available in the python package index.

Configuring the clients

-----------------------

To use an HTTPS proxy, a client host must trust the CA which issued

that proxy's SSL certificate.  If that CA's certificate is not in the

system-wide default set of trusted certificates, configure the

following relation in the client host's :ref:`krb5.conf(5)` file in

the appropriate :ref:`realms` subsection::

    http_anchors = FILE:/etc/krb5/cacert.pem

Adjust the pathname to match the path of the file which contains a

copy of the CA's certificate.  The `http_anchors` option is documented

more fully in :ref:`krb5.conf(5)`.

Configure the client to access the KDC and kpasswd service by

specifying their locations in its :ref:`krb5.conf(5)` file in the form

of HTTPS URLs for the proxy server::

    kdc = https://server.fqdn/KdcProxy

    kpasswd_server = https://server.fqdn/KdcProxy

If the proxy and client are properly configured, client commands such

as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally.