about step-by-step guide to Kerberos 5 Interoperability

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Jun 4 08:38:30 EDT 2004

Lara Adianto wrote:
> 1. ksetup /setmachpassword password
> If we don't do this, the user can't login although on
> the KDC site, it seems that AS-REQ is being granted.
> Why ?
> 2. Why do I need to add the user in the local machine
> (windows) in order for it to be able to authenticate
> to MIT KDC, although actually the username (or the
> principal in this case) is already added in the KDC ?

If pre-authentication is not being used it is possible
for anyone to obtain a TGT for any principal, all you
must do is ask the KDC for one and it will send it.
The TGT is encrypted in the long term key of the principal
and it is assumed that only the individual that knows
that long term key can decrypt it.  (naive assumption
which is why pre-authentication should be required.)

The machine you are logging into does not know whether
or not pre-authentication was used to obtain the TGT.
The user who obtains the TGT must authenticate herself
to the machine.  This requires an AS_REQ exchange in
order to obtain a service ticket authenticating the
user principal to the machine.  Simply obtaining the
Service Ticket does not prove authentication.  The
machine must be able to decrypt it and perform a
mutual authentication proof using the knowledge
provided within.

the ksetup set machine password command performs the
windows equivalent of providing a keytab on Unix.  It
gives the machine access to its long term key so that
it is capable of decrypting the service ticket the user
will present during an authentication at login.

Jeffrey Altman

More information about the Kerberos mailing list