AS_REP question
Jeffrey Altman
jaltman2 at nyc.rr.com
Fri Sep 30 09:51:15 EDT 2005
NetSteady wrote:
> We are just trying to replicate the proceses that Kerberos for Windows
> goes through, and the only traffic that we see from a windows machine
> to a Kerberos KDC is the AS-REQ and AS-REP exchange. The process is
> supposed to be as simple and fast as possible for password validation,
> as our possible implementations will serve locations with up to 100,000
> credentials.
>
> The pasword validation will act as part of a three-factor
> authentication. Username validation is only one of the factors, and the
> other two are VERY hard to spoof.
>
> On the other hand, does anyone know of an existing DLL that will allow
> us to make calls to it, processing the credentials?
>
> Chris
KFW does not perform password validation. The tickets obtained by KFW
are not used as a sign of permission to logon to the machine. The
tickets can only be considered validated after they have been used to
authenticate to a service that has decrypted the portion of the ticket
encrypted in the service principal's long term key.
If you are using the ticket as part of a password validation, you must
have a key for a service principal and you must obtain a service ticket
for that principal and validate that you can decrypt it with the service
principal's long term key.
Take a look at krb5_verify_init_creds()
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list