I'm not sure but I'm just guessing that if the following scenario could be achieved:
For example, there is a proxy server sitting in the middle of Kerberos Client and the Resource Server. At first, this proxy server will pretend to be the resource server and authorize itself with KDC to get the master key. And then in the subsequent packets transmission between Kerberos Client and the real resource server, this proxy server could receive the packet from client, decrypt the session key with the Master Key it received from KDC earlier, and then decrypt the whole packet with the session key, process the packet and encrypt it with the session key and then send to the real resource server.
If the above scenario is possible, then how does this proxy server get Master Key from KDC? Can it present itself to KDC as a Service Principle and receive the Master Key? If the answer is yes then how can I implement it in C++? Is there a sample code to do that?
Thanks a lot in advance,
Andy