Does anyone have any ideas on how I can get Kerberos to work with Network Address Translation? i.e. The users are behind a firewall which does NAT and want to connect to remote services using Keberos authentication. Oh, and this is using a hide NAT for a network, not a static NAT.

There are a couple of ideas out there but they all result in weakening the security (e.g. including the NAT address in the kerberos tickets IP list etc..)

Thanks