Kerberos Implementation in a distributed Windows environment

Sam Hartman hartmans at MIT.EDU
Fri Oct 10 18:18:55 EDT 2003


>>>>> "sanford" == sanford sham <sanford.sham at accenture.com> writes:
    sanford> The problem comes when simultaneous transactions are conducted. Let's say
    sanford> all EAI boxes fires a transactions to the same Websphere services at the
    sanford> same time. Since it's hosted by the same domain account, the user that is
    sanford> seen on the kerberos ticket is the same. Also, since it is fired at the
    sanford> same time, the timestamp is the same (or very close). Therefore, after
    sanford> receiving the first transactions, Websphere rejects all subsequent
    sanford> transactions on the basis of duplicate Kerberos tickets being sent (or
    sanford> replay).


If you are getting replay cache errors, you should contact your
Microsoft support channels and let them know that you are running into
a Kerberos replay cache problem working with another Kerberos
implementation.  They are familiar with problems in this space and
have been looking at solutions.

The problem seems to be that MIT Kerberos interprets the spec for
uniqueness of authenticators.  Microsoft does technically violate the
spec, although recent discussions within the IETF suggest that the
spec should be loosened to make it easier to implement.




More information about the Kerberos mailing list