AW: Proof of authenticity of TGT

Ken Raeburn raeburn at MIT.EDU
Wed Aug 23 10:28:39 EDT 2006

On Aug 23, 2006, at 3:43, Olfmatic wrote:
> I understand your warnings. But it is not possible to add the  
> service to the realm, because it is running on a host that is not  
> in the same windows domain and not in the same kerberos realm. To  
> be more precise, it is not running in a kerberos realm at all and  
> thus is not really a kerberos service.

If you already have the ability to modify the application client and  
server code to send and verify the TGT, then the only thing  
preventing you from doing the same with a normal service ticket would  
be your KDC.  In which case, you're not talking about the MIT KDC,  
and then I can't help you with getting the TGT key out.

But I'd be really surprised if a Windows KDC couldn't be convinced to  
add an arbitrary service principal somehow.  (But since I don't play  
around with Windows KDCs much, I couldn't tell you how to do it  
without doing all the same Google searches that you'd expect to have  
to do.)


More information about the Kerberos mailing list