Java Pre-auth for Windows 2003 mixed case revival

Jeffrey Hutzelman jhutz at
Mon Feb 14 16:58:33 EST 2005

On Monday, February 14, 2005 01:34:20 PM -0800 Seema Malkani 
<Seema.Malkani at Sun.COM> wrote:

> Maybe the next Kerberos clarifications should clarify this particular
> scenario.

A large part of the problem here is that KRB-ERROR does not actually have a 
complete extension mechanism.  It has e-data, which is a single octet 
string whose meaning is implementation-defined except in the specific case 
of KDC_ERR_PREAUTH_REQUIRED, in which case it is a sequence of PA-DATA.

The next Kerberos specification will likely clean this up considerably, 
with a well-defined extension mechanism similar to those provided by 
PA-DATA and AUTHORIZATION-DATA.  For example, take a look at section 9 of
draft-ietf-krb-wg-rfc1510ter-00.txt (very much still a work in progress).

RFC1510bis (draft-ietf-krb-wg-kerberos-clarifications-07.txt) has been 
approved by the IESG and is in the RFC Editor's queue awaiting publication. 
Aside from copy-editing performed during the publication process, this 
document is not expected to change again.  If you would like to see 
additional text in RFC1510ter clarifying the handling of cases where the 
client sends the wrong preauth type, I'd suggest you make a proposal to 
that effect on the IETF Kerberos Working Group mailing list, 
<ietf-krb-wg at>.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list