2

I know one can disable the reverse DNS lookup made by individual client applications when calculating SPN of the called server during Kerberos authentication. There are various ways, e. g.:

My question is whether this can be somehow achieved on a Windows (namely Windows 10) client machine globally - for all applications. The following variants don't seem to be a solution:

  • Tell Windows not to do the reverse lookup. I checked MS Kerberos registry documentation and I cannot see such a setting there.
  • Tell Windows / all applications in Windows to use the MIT implementation instead. There seem to be special settings e. g. in PuTTY or Firefox which enable choosing a concrete GSSAPI/Kerberos implementation. But what about the other applications, like Chrome or the Windows network disks mapper?
  • Highly theoretical and not practical: Change, recompile and deploy the hard-wired part of Windows responsible for the lookup.
Petr Bodnár
  • 159
  • 1
  • 6
  • are you sure rdns is required for kerberos on windows? http://www.cosonok.com/2014/04/is-kerberos-dependent-on-reverse-dns.html – Gordy May 28 '21 at 22:15
  • @Gordy, thx for the link. If I read the article correctly though, it proofs that Kerberos *can work even without rdns setup*. But it doesn't show how to tell Kerberos in Windows *not to use rdns*. – Petr Bodnár May 29 '21 at 08:57
  • from what I can tell it seems that you don't have to tell Windows not to use rdns - it already doesn't use it. I just got kerberos working between a Windows 10 client and an AWS-managed AD and rdns would have been a showstopper. maybe it depends on your auth server though. – Gordy May 31 '21 at 18:02
  • @Gordy, provided that what you write is true, the rdns may be enforced by the auth server (AD), as you suggest, or maybe there is some domain group policy for that. Then my question could be restated as "How not to enable rdns for Windows Kerberos", but yes, it's basically still the same question... – Petr Bodnár Jun 05 '21 at 06:51

0 Answers0