Architectural Question...

Michael A Stauffer chilango at uwyo.edu
Thu Feb 13 13:38:48 EST 2003 


Can you provide any references or documentation on this?  I have looked
through all of the Microsoft documents I can get a hold of, and can find
no information on this.

Thanks,
Michael

 
> Date: Fri, 7 Feb 2003 01:49:12 +1100
> From: Luke Howard <lukeh at PADL.COM>
> To: ttcowan at us.ibm.com
> Cc: kerberos at mit.edu
> Subject: Re: Architectural Question ...
> Message-ID: <200302061449.BAA08398 at au.padl.com>
> References: <200302060518.QAA03651 at au.padl.com>
> 	<63247f.0302060603.4f504bdd at posting.google.com>
> Content-Type: text/plain; charset=US-ASCII
> MIME-Version: 1.0
> Precedence: list
> Reply-To: lukeh at PADL.COM
> Message: 4
> 
> 
> If a Windows 2000 service is not running as the local system account,
> then the Local Security Authority will contact the KDC to validate
> the authorisation data in the ticket. This is to prevent a service
> running with least privilege from forging a ticket to itself with
> more privileged authorisation data.
> 
> In practice the only the Local Security Authority has access to the
> service key so this attack would not be possible. It certainly adds
> a layer of complexity as far as interoperability is concerned.
> 
> -- Luke
> 
> >From: ttcowan at us.ibm.com (Tony Cowan)
> >Subject: Re: Architectural Question ...
> >To: kerberos at mit.edu
> >Date: 6 Feb 2003 06:03:30 -0800
> >Organization: http://groups.google.com/
> >
> >> No, that's the beauty of Kerberos.
> >
> >Thanks Luke.
> >Someone tells me they've been sniffing and found that one particular
> >implementation does in fact hit the KDC to validate the ticket.
> >I wonder if it's actually hitting the KDC for some other purpose.
> >Getting further information perhaps .. I guess the "session" key
> >should be in the original message, so it shouldn't need to fetch that
> >... I wonder what else it might be.
> >
> >Cheers,
> >Tc.
> >________________________________________________
> >Kerberos mailing list           Kerberos at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> --
> Luke Howard | PADL Software Pty Ltd | www.padl.com
> ------------------------------

More information about the Kerberos mailing list