Java Pre-auth for Windows 2003 mixed case revival
Mike Chapel
spielfriek at gmail.com
Thu Feb 10 15:11:40 EST 2005
> The first problem is Java is sending the pa-enc-timestamp with the first
> request. If it did not then you would get the (25) response. I think
> that is the real solution.
>
> The pseudo code on page 92 says:
>
> if(client.pa_enc_timestamp_required and
> pa_enc_timestamp not present) then
> error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
> endif
> > If so since I already send the as-req
> > automatically with the pa-enc-timestamp, if I get the
> > KDC_ERR_PREAUTH_REQUIRED,
> Don't send any pre-auth in the first request.
Thats sounds like a valid path to take. Of course
pa_enc_timestamp_required would have to be a config set option that
could be set to true or false. Some customers wouldn't want the
performance hit of having to resend the as_req twice as workaround to
comply with MS AD case name problem. But I do agree that I could
create a parameter pa_enc_timestamp_required = false then send the
as_req without an preauth, then handle the (25) scenario. This won't
fix the problem if they set it to "true". The problem would possibly
still arise for MS AD , but workable solution for people using MS AD
2003.
Thanks for the input.
Michael W. Chapel
Java Kerberos/JGSS Development
IBM/Tivoli Java Security
Austin Texas
More information about the Kerberos
mailing list