questions about pre-auth

Pierre Goyette pierre at
Thu Jun 10 14:01:30 EDT 2004


I was taking some network traces an noticed that the client (even 2.6.3)
always first makes a basic AS-REQ and then if it fails with a
PREAUTH_REQUIRED, then makes a new attempt with the preauthentication

Is there an option in the Windows client so that the client always
includes the preauthenication data in the first AS-REQ ?

Pierre Goyette 

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Jeffrey Altman
Sent: Thursday, June 10, 2004 10:44 AM
To: kerberos at MIT.EDU
Subject: Re: questions about pre-auth

Johannes russek wrote:

> hi there
> i'd like to allow my users access to a kerberized service from 
> anywhere in the internet. to use it even more secure, i'd like to 
> require pre-auth, so i have control over the client machines.
> now my question: is the hostname part in the client-machines 
> host/foo at REALM ticket as sensitive as server-machine host ticket 
> hostnames are? am i only able to use pre-auth for machines, that have
static hostnames?
> what about dynamic hostnames for mobile users for example?
> best regards, johannes russek

When accessing a service, pre-authentication is not used to obtain the
service principal.  The user principal has already been authenticated
before the service ticket request is made to the KDC.

Pre-authentication would only be needed for a "host/fqdn" service
principal if the machine itself were going to obtain a TGT for itself in
order for it to authenticate to some other service.

Somehow I think you were trying to ask a different question.  I think
you were trying to ask "must the DNS name of the machine match the fqdn
specified in the "host/fqdn" principal assigned to the machine?"
The answer is not necessarily but for all practical purposes 'yes'.
The client must be able to determine the fqdn of the machine in order to
request a "host/fqdn" service ticket.  The service running on the
machine must know its fqdn in order to be able to read the appropriate
keytab entry for itself.

Typically, you would use dynamic DNS to update a commonly known entry
for the machine with its IP address.  When using Active Directory or
Lucent's QIP DNS service, this dynamic update can be machine
authenticated using GSSAPI Kerberos 5.  In this case, the machine would
know its own name, obtain a TGT, authenticate to the DNS service and
publish its new IP address for the world to see.

Jeffrey Altman

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list