Java Pre-auth for Windows 2003 mixed case revival
Douglas E. Engert
deengert at anl.gov
Thu Feb 10 15:25:46 EST 2005
Mike Chapel wrote:
>>The first problem is Java is sending the pa-enc-timestamp with the first
>>request. If it did not then you would get the (25) response. I think
>>that is the real solution.
>>The pseudo code on page 92 says:
>> if(client.pa_enc_timestamp_required and
>> pa_enc_timestamp not present) then
>>>If so since I already send the as-req
>>>automatically with the pa-enc-timestamp, if I get the
>> Don't send any pre-auth in the first request.
> Thats sounds like a valid path to take. Of course
> pa_enc_timestamp_required would have to be a config set option that
> could be set to true or false.
The KDC has the option to require pre-auth, and most sites require it.
> Some customers wouldn't want the
> performance hit of having to resend the as_req twice as workaround to
> comply with MS AD case name problem.
The performance is negligible and only only occurs when the user
types in a password so it is hardly noticeable.
Since all other Kerberos clients that I have seen don't have this
client side option, If you add an option, please default it to false
and it will work everywhere.
In the future as PKINIT and /or other pre-auths are implemented, you
may have to send in the first request without any pre-auth just to find
out what the KDC will accept so you might as well do it now too.
> But I do agree that I could
> create a parameter pa_enc_timestamp_required = false then send the
> as_req without an preauth, then handle the (25) scenario. This won't
> fix the problem if they set it to "true". The problem would possibly
> still arise for MS AD , but workable solution for people using MS AD
False should work with any KDC.
> Thanks for the input.
We are looking forward to this fix.
> Michael W. Chapel
> Java Kerberos/JGSS Development
> IBM/Tivoli Java Security
> Austin Texas
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos