about step-by-step guide to Kerberos 5 Interoperability
Lara Adianto
m1r4cle_26 at yahoo.com
Mon Jun 7 05:43:34 EDT 2004
Thanks, that's a very clear explanation !
But I still can't understand why I should add the user
to the local machine as well. When the server (the
local machine) does AP-REQ processing, it doesn't need
the username right ? The server only needs to compare
the username in the authenticator and the ticket and
see if the two of them match...Correct me if i'm
wrong.
-lara-
--- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> Lara Adianto wrote:
> > 1. ksetup /setmachpassword password
> > If we don't do this, the user can't login although
> on
> > the KDC site, it seems that AS-REQ is being
> granted.
> > Why ?
> >
> > 2. Why do I need to add the user in the local
> machine
> > (windows) in order for it to be able to
> authenticate
> > to MIT KDC, although actually the username (or the
> > principal in this case) is already added in the
> KDC ?
>
> If pre-authentication is not being used it is
> possible
> for anyone to obtain a TGT for any principal, all
> you
> must do is ask the KDC for one and it will send it.
> The TGT is encrypted in the long term key of the
> principal
> and it is assumed that only the individual that
> knows
> that long term key can decrypt it. (naive
> assumption
> which is why pre-authentication should be required.)
>
> The machine you are logging into does not know
> whether
> or not pre-authentication was used to obtain the
> TGT.
> The user who obtains the TGT must authenticate
> herself
> to the machine. This requires an AS_REQ exchange in
> order to obtain a service ticket authenticating the
> user principal to the machine. Simply obtaining the
> Service Ticket does not prove authentication. The
> machine must be able to decrypt it and perform a
> mutual authentication proof using the knowledge
> provided within.
>
> the ksetup set machine password command performs the
> windows equivalent of providing a keytab on Unix.
> It
> gives the machine access to its long term key so
> that
> it is capable of decrypting the service ticket the
> user
> will present during an authentication at login.
>
> Jeffrey Altman
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
More information about the Kerberos
mailing list