rharolde> Thanks for the link. Lots of pieces to get working there. Not rharolde> nearly as simple as TSIG. But good if you are already using rharolde> Kerberos. MS active directory is kerberos under the hood. You don't need to run a classic mit/hesiod KDC to get GSS-TSIG to work. But it is cryptic and a pain.