about step-by-step guide to Kerberos 5 Interoperability

Lara Adianto m1r4cle_26 at yahoo.com
Mon Jun 7 05:43:34 EDT 2004

Thanks, that's a very clear explanation !
But I still can't understand why I should add the user
to the local machine as well. When the server (the
local machine) does AP-REQ processing, it doesn't need
the username right ? The server only needs to compare
the username in the authenticator and the ticket and
see if the two of them match...Correct me if i'm


--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> Lara Adianto wrote:
> > 1. ksetup /setmachpassword password
> > If we don't do this, the user can't login although
> on
> > the KDC site, it seems that AS-REQ is being
> granted.
> > Why ?
> > 
> > 2. Why do I need to add the user in the local
> machine
> > (windows) in order for it to be able to
> authenticate
> > to MIT KDC, although actually the username (or the
> > principal in this case) is already added in the
> KDC ?
> If pre-authentication is not being used it is
> possible
> for anyone to obtain a TGT for any principal, all
> you
> must do is ask the KDC for one and it will send it.
> The TGT is encrypted in the long term key of the
> principal
> and it is assumed that only the individual that
> knows
> that long term key can decrypt it.  (naive
> assumption
> which is why pre-authentication should be required.)
> The machine you are logging into does not know
> whether
> or not pre-authentication was used to obtain the
> TGT.
> The user who obtains the TGT must authenticate
> herself
> to the machine.  This requires an AS_REQ exchange in
> order to obtain a service ticket authenticating the
> user principal to the machine.  Simply obtaining the
> Service Ticket does not prove authentication.  The
> machine must be able to decrypt it and perform a
> mutual authentication proof using the knowledge
> provided within.
> the ksetup set machine password command performs the
> windows equivalent of providing a keytab on Unix. 
> It
> gives the machine access to its long term key so
> that
> it is capable of decrypting the service ticket the
> user
> will present during an authentication at login.
> Jeffrey Altman

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.

More information about the Kerberos mailing list