Win logon to a MIT Kerberos V KDC?

Wyllys Ingersoll wyllys.ingersoll at
Fri Sep 27 08:18:35 EDT 2002

Steve Harper wrote:
> Definately remove the "REQUIRES_PRE_AUTH" flag from the principal for
> majorskan (which is your windows 2000 machine, if I'm not mistaken).  When
> the KDC is forcing the WIN2K client to generate PRE_AUTH data the client
> includes additional information (I think it's SID) in the
> Authorization_Data field of the ticket.  One way or the other the Logon
> will fail because MIT's KDC does not support these microsoft
> extensions.  I can guarentee that preauth on a principal will make your
> login fail when that login is coming from a Win2K machine to an MIT KDC.

I think this is incorrect.  The authorization data (PAC structure) can only
be added by an AD KDC, a client cannot add its own authorization data,
that would obviously be a "Bad Thing".   When an AD client requests
TGT from an AD KDC with Pre-auth, the KDC adds the authorization data
encoded in the private key of the server, not the client.  Clients cannot
read or write their own authorization field.   Unfortunately (as far as I know),
a non-MS KDC cannot create a PAC field that AD will respect.  Much of the
info included in the PAC field comes from other internal AD records and
can only be generated by AD.   If anyone knows of a Unix-based KDC
that can generate valid PAC data that AD will recognize and use, I'd love
to hear about it.

If the KDC is non-MS and the client is MS, it is safe to use pre-auth.
The default pre-auth type is TIMESTAMP, which MIT supports just fine.

-Wyllys Ingersoll

More information about the Kerberos mailing list