Architectural Question ...

Luke Howard lukeh at PADL.COM
Thu Feb 6 09:49:12 EST 2003

If a Windows 2000 service is not running as the local system account,
then the Local Security Authority will contact the KDC to validate
the authorisation data in the ticket. This is to prevent a service
running with least privilege from forging a ticket to itself with
more privileged authorisation data.

In practice the only the Local Security Authority has access to the
service key so this attack would not be possible. It certainly adds
a layer of complexity as far as interoperability is concerned.

-- Luke

>From: ttcowan at (Tony Cowan)
>Subject: Re: Architectural Question ...
>To: kerberos at
>Date: 6 Feb 2003 06:03:30 -0800
>> No, that's the beauty of Kerberos.
>Thanks Luke.
>Someone tells me they've been sniffing and found that one particular
>implementation does in fact hit the KDC to validate the ticket.
>I wonder if it's actually hitting the KDC for some other purpose.
>Getting further information perhaps .. I guess the "session" key
>should be in the original message, so it shouldn't need to fetch that
>... I wonder what else it might be.
>Kerberos mailing list           Kerberos at

Luke Howard | PADL Software Pty Ltd |

More information about the Kerberos mailing list