Architectural Question ...

[Ken Raeburn]

ttcowan at us.ibm.com (Tony Cowan) writes:
> Someone tells me they've been sniffing and found that one particular
> implementation does in fact hit the KDC to validate the ticket.
> I wonder if it's actually hitting the KDC for some other purpose.
> Getting further information perhaps .. I guess the "session" key
> should be in the original message, so it shouldn't need to fetch that
> ... I wonder what else it might be.

Perhaps they were thinking of the login verification process?  At
login time, you get a ticket-granting ticket, which the local machine
has no way to validated directly because it doesn't have the key for
the ticket-granting service.  So it contacts the KDC to get a ticket
for some local service (say, the remote-login service
"host/foo.bar.com"), decrypts that, and uses that as confirmation that
the original password supplied was valid.

Ken