AS_REP question

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Sep 30 09:51:15 EDT 2005


NetSteady wrote:
> We are just trying to replicate the proceses that Kerberos for Windows
> goes through, and the only traffic that we see from a windows machine
> to a Kerberos KDC is the AS-REQ and AS-REP exchange. The process is
> supposed to be as simple and fast as possible for password validation,
> as our possible implementations will serve locations with up to 100,000
> credentials.
> 
> The pasword validation will act as part of a three-factor
> authentication. Username validation is only one of the factors, and the
> other two are VERY hard to spoof.
> 
> On the other hand, does anyone know of an existing DLL that will allow
> us to make calls to it, processing the credentials?
> 
> Chris

KFW does not perform password validation.   The tickets obtained by KFW
are not used as a sign of permission to logon to the machine.   The
tickets can only be considered validated after they have been used to
authenticate to a service that has decrypted the portion of the ticket
encrypted in the service principal's long term key.

If you are using the ticket as part of a password validation, you must
have a key for a service principal and you must obtain a service ticket
for that principal and validate that you can decrypt it with the service
principal's long term key.

Take a look at krb5_verify_init_creds()

Jeffrey Altman



-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list