Java Pre-auth for Windows 2003 mixed case revival

Mike Chapel spielfriek at
Thu Feb 10 15:11:40 EST 2005

> The first problem is Java is sending the pa-enc-timestamp with the first
> request. If it did not then you would get the (25) response. I think
> that is the real solution.
> The pseudo code on page 92 says:
>  if(client.pa_enc_timestamp_required and
>            pa_enc_timestamp not present) then
>                 error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
>         endif
> > If so since I already send the as-req
> > automatically with the pa-enc-timestamp, if I get the
>  Don't send any pre-auth in the first request.

Thats sounds like a valid path to take. Of course
pa_enc_timestamp_required would have to be a config set option that
could be set to true or false. Some customers wouldn't want the
performance hit of having to resend the as_req twice as workaround to
comply with MS AD case name problem. But I do agree that I could
create a parameter pa_enc_timestamp_required = false then send the
as_req without an preauth, then handle the (25) scenario. This won't
fix the problem if they set it to "true". The problem would possibly
still arise for MS AD , but workable solution for people using MS AD

Thanks for the input.

Michael W. Chapel
Java Kerberos/JGSS Development
IBM/Tivoli Java Security 
Austin Texas

More information about the Kerberos mailing list