AW: Proof of authenticity of TGT
Ken Raeburn
raeburn at MIT.EDU
Wed Aug 23 10:28:39 EDT 2006
On Aug 23, 2006, at 3:43, Olfmatic wrote:
> I understand your warnings. But it is not possible to add the
> service to the realm, because it is running on a host that is not
> in the same windows domain and not in the same kerberos realm. To
> be more precise, it is not running in a kerberos realm at all and
> thus is not really a kerberos service.
If you already have the ability to modify the application client and
server code to send and verify the TGT, then the only thing
preventing you from doing the same with a normal service ticket would
be your KDC. In which case, you're not talking about the MIT KDC,
and then I can't help you with getting the TGT key out.
But I'd be really surprised if a Windows KDC couldn't be convinced to
add an arbitrary service principal somehow. (But since I don't play
around with Windows KDCs much, I couldn't tell you how to do it
without doing all the same Google searches that you'd expect to have
to do.)
Ken
More information about the Kerberos
mailing list