Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 20. Using the KDC Proxy in IdM

Some administrators might choose to make the default Kerberos ports inaccessible in their deployment. To allow users, hosts, and services to obtain Kerberos credentials, you can use the HTTPS service as a proxy that communicates with Kerberos via the HTTPS port 443.

In Identity Management (IdM), the Kerberos Key Distribution Center Proxy (KKDCP) provides this functionality.

On an IdM server, KKDCP is enabled by default and available at https://server.idm.example.com/KdcProxy. On an IdM client, you must change its Kerberos configuration to access the KKDCP.

20.1. Configuring an IdM client to use KKDCP
Copy link

As an Identity Management (IdM) system administrator, you can configure an IdM client to use the Kerberos Key Distribution Center Proxy (KKDCP) on an IdM server. This is useful if the default Kerberos ports are not accessible on the IdM server and the HTTPS port 443 is the only way of accessing the Kerberos service.

Prerequisites

  • You have root access to the IdM client.

Procedure

  1. Open the /etc/krb5.conf file for editing.

  2. In the [realms] section, enter the URL of the KKDCP for the kdc, admin_server, and kpasswd_server options: 

    [realms]
EXAMPLE.COM = {
  kdc = https://kdc.example.com/KdcProxy
  admin_server = https://kdc.example.com/KdcProxy
  kpasswd_server = https://kdc.example.com/KdcProxy
  default_domain = example.com
}

    For redundancy, you can add the parameters kdc, admin_server, and kpasswd_server multiple times to indicate different KKDCP servers.

  3. Restart the sssd service to make the changes take effect: 

    ~]# systemctl restart sssd

On an Identity Management (IdM) server, the Kerberos Key Distribution Center Proxy (KKDCP) is automatically enabled each time the Apache web server starts if the attribute and value pair ipaConfigString=kdcProxyEnabled exists in the directory. In this situation, the symbolic link /etc/httpd/conf.d/ipa-kdc-proxy.conf is created.

You can verify if the KKDCP is enabled on the IdM server, even as an unprivileged user.

Procedure

  • Check that the symbolic link exists: 
$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
lrwxrwxrwx. 1 root root 36 Jun 21  2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf

The output confirms that KKDCP is enabled.

20.3. Disabling KKDCP on an IdM server
Copy link

As an Identity Management (IdM) system administrator, you can disable the Kerberos Key Distribution Center Proxy (KKDCP) on an IdM server.

Prerequisites

  • You have root access to the IdM server.

Procedure

  1. Remove the ipaConfigString=kdcProxyEnabled attribute and value pair from the directory: 

    # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
Update complete
The ipa-ldap-updater command was successful

  2. Restart the httpd service: 

    # systemctl restart httpd.service

KKDCP is now disabled on the current IdM server.

Verification

  • Verify that the symbolic link does not exist: 

    $ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
ls: cannot access '/etc/httpd/conf.d/ipa-kdc-proxy.conf': No such file or directory

20.4. Re-enabling KKDCP on an IdM server
Copy link

On an IdM server, the Kerberos Key Distribution Center Proxy (KKDCP) is enabled by default and available at https://server.idm.example.com/KdcProxy.

If KKDCP has been disabled on a server, you can re-enable it.

Prerequisites

  • You have root access to the IdM server.

Procedure

  1. Add the ipaConfigString=kdcProxyEnabled attribute and value pair to the directory: 

    # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
Update complete
The ipa-ldap-updater command was successful

  2. Restart the httpd service: 

    # systemctl restart httpd.service

KKDCP is now enabled on the current IdM server.

Verification

  • Verify that the symbolic link exists: 

    $ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
lrwxrwxrwx. 1 root root 36 Jun 21  2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf

20.5. Configuring the KKDCP server I
Copy link

With the following configuration, you can enable TCP to be used as the transport protocol between the IdM KKDCP and the Active Directory (AD) realm, where multiple Kerberos servers are used.

Prerequisites

  • You have root access.

Procedure

  1. Set the use_dns parameter in the [global] section of the /etc/ipa/kdcproxy/kdcproxy.conf file to false. 

    [global]
use_dns = false

  2. Put the proxied realm information into the /etc/ipa/kdcproxy/kdcproxy.conf file. For example, for the [AD.EXAMPLE.COM] realm with proxy list the realm configuration parameters as follows: 

    [AD.EXAMPLE.COM]
kerberos = kerberos+tcp://1.2.3.4:88 kerberos+tcp://5.6.7.8:88
kpasswd = kpasswd+tcp://1.2.3.4:464 kpasswd+tcp://5.6.7.8:464
    Important

    The realm configuration parameters must list multiple servers separated by a space, as opposed to /etc/krb5.conf and kdc.conf, in which certain options may be specified multiple times.

  3. Restart Identity Management (IdM) services: 

    # ipactl restart

Configure the Identity Management (IdM) Kerberos Key Distribution Center Proxy (KKDCP) server to enable DNS-based KDC discovery for Active Directory (AD) realms already declared in the MIT Kerberos configuration. Use this approach when your AD realms are defined in /etc/krb5.conf or /etc/krb5.conf.d/. In a standard IdM deployment with an AD trust, this is the case by default.

Prerequisites

  • You have root access.
  • Your AD realms are declared in the MIT Kerberos configuration (/etc/krb5.conf or /etc/krb5.conf.d/).

Procedure

  1. In the /etc/ipa/kdcproxy/kdcproxy.conf file, in the [global] section, set configs = mit and use_dns = true: 

    [global]
configs = mit
use_dns = true

    The configs = mit setting imports the MIT Kerberos configuration into kdcproxy, making realms declared there available for DNS-based KDC discovery.

  2. Optional: To re-enable DNS-based KDC discovery for all realms, add the dns_realm_discovery parameter to the [global] section.

    Warning

    Red Hat recommends against setting dns_realm_discovery = true. It restores the pre-CVE-2025-59088 behavior and enables any client to trigger DNS SRV record lookups for arbitrary realm names, which can be exploited to probe internal network addresses and exfiltrate data via server-side request forgery. 

    [global]
configs = mit
use_dns = true
dns_realm_discovery = true

  3. Restart Identity Management (IdM) services: 

    # ipactl restart

Configure the Identity Management (IdM) KKDCP server to enable DNS-based KDC discovery for Active Directory (AD) realms by declaring them explicitly in the kdcproxy configuration. Use this approach when your AD realms are not defined in the MIT Kerberos configuration, or when configs = mit is not set.

Prerequisites

  • You have root access.

Procedure

  1. In the /etc/ipa/kdcproxy/kdcproxy.conf file, the [global] section, set the use_dns parameter to true. 

    [global]
use_dns = true

  2. Add a section for each AD realm to /etc/ipa/kdcproxy/kdcproxy.conf, specifying the KDC servers explicitly: 

    [AD.EXAMPLE.COM]
kerberos = kerberos+tcp://ad-dc1.ad.example.com:88 kerberos+tcp://ad-dc2.ad.example.com:88
kpasswd = kpasswd+tcp://ad-dc1.ad.example.com:464 kpasswd+tcp://ad-dc2.ad.example.com:464

    Replace AD.EXAMPLE.COM with the name of your AD realm, and ad-dc1.ad.example.com and ad-dc2.ad.example.com with the hostnames or IP addresses of your AD domain controllers. You can list multiple servers space-separated on a single line.

    Important

    The realm configuration parameters must list multiple servers separated by a space, as opposed to /etc/krb5.conf and kdc.conf, in which certain options can be specified multiple times.

    Note

    When use_dns = true is set globally, empty realm sections are sufficient to add realms to the allow-list. You do not need to specify KDC servers explicitly. For example: 

    [global]
use_dns = true

[SUB1.AD.EXAMPLE.COM]
[SUB2.AD.EXAMPLE.COM]

    To cover an AD forest with multiple sub-realms, you can also use a wildcard section prefixed with *. For example, [*AD.EXAMPLE.COM] matches AD.EXAMPLE.COM and CHILD.AD.EXAMPLE.COM, but not MYADEXAMPLE.COM.

  3. Optional: If you cannot add dedicated realm sections, you can re-enable DNS-based KDC discovery for all realms by adding the dns_realm_discovery parameter to the [global] section.

    Warning

    Red Hat recommends against setting dns_realm_discovery = true. It restores the pre-CVE-2025-59088 behavior and enables any client to trigger DNS SRV record lookups for arbitrary realm names, which can be exploited to probe internal network addresses and exfiltrate data via server-side request forgery. 

    [global]
use_dns = true
dns_realm_discovery = true

  4. Restart Identity Management (IdM) services: 

    # ipactl restart
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top