MIT Kerberos Interop with Win2k
Zafar Baig
mzbaig5 at hotmail.com
Thu Mar 20 11:17:26 EST 2003
hi,
Can anyone tell me if there's a whitepaper or something that shows how MIT
krb5 addresses interop with Win2k domain? Won't the win2k domain reject the
TGS-REQ sent to it from a Win2k client that had obtained tickets from a krb5
KDC? I know that this works in the latest version of kerberos but I would
like to see what was done in it to make it work. Here's a typical failure:
1. AS-REQ win2k client -> KRB KDC
AS-REP KRB KDC <- win2k_client
2. TGS-REQ win2k client -> KRB KDC
TGS-REP KRB KDC <- win2k client
3. TGS-REQ win2k client -> win2k DC & KDC
KRB-ERROR win2k DC & KDC <- win2k client
This KRB-ERROR is expected if kerberos wasn't changed. The error would be
KRB5KRB_AP_ERR_MODIFIED since the tickets/PAC would look like they are not
compatible with Microsoft krb.
In which version of krb was this code inserted to overcome this issue? I
would like to see the differences as I have the tree with me.
Thanks in advance for your assistance.
Regards,
Zafar
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
More information about the Kerberos
mailing list