Java Pre-auth for Windows 2003 mixed case revival
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Feb 14 16:58:33 EST 2005
On Monday, February 14, 2005 01:34:20 PM -0800 Seema Malkani
<Seema.Malkani at Sun.COM> wrote:
> Maybe the next Kerberos clarifications should clarify this particular
> scenario.
A large part of the problem here is that KRB-ERROR does not actually have a
complete extension mechanism. It has e-data, which is a single octet
string whose meaning is implementation-defined except in the specific case
of KDC_ERR_PREAUTH_REQUIRED, in which case it is a sequence of PA-DATA.
The next Kerberos specification will likely clean this up considerably,
with a well-defined extension mechanism similar to those provided by
PA-DATA and AUTHORIZATION-DATA. For example, take a look at section 9 of
draft-ietf-krb-wg-rfc1510ter-00.txt (very much still a work in progress).
RFC1510bis (draft-ietf-krb-wg-kerberos-clarifications-07.txt) has been
approved by the IESG and is in the RFC Editor's queue awaiting publication.
Aside from copy-editing performed during the publication process, this
document is not expected to change again. If you would like to see
additional text in RFC1510ter clarifying the handling of cases where the
client sends the wrong preauth type, I'd suggest you make a proposal to
that effect on the IETF Kerberos Working Group mailing list,
<ietf-krb-wg at anl.gov>.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list