A Question about the Kerberos Exchange
Abhinav Bharti
abhinav.bharti at nevisnetworks.com
Fri Feb 2 06:59:38 EST 2007
Hi,
The OS is WINxp-service pack2 .
As far as I my understanding goes once the TGT is received from the KDC(AS), the first thing that happens for a domain login is that a TGS-REQ is sent so that the use can authenticate to the local work station.
What I am seeing here is that, the TGS-REP with service type as host and the Prinicpal as the local workstation is returning an error -
KRB5KDC_ERR_E_S_PRINCIPAL_UNKNOWN à Server not found in Kerberos database.
So that means I should not be able to access the local work station resources (Does resources here mean only the kerborized resources ??)
But when I try to access some other work station in the domain I succesfully get a ticket and I am able to access it.
Also AFAIK - to access some shared folder on a work station the TGS exchange should always be succeeded by an AP_REQ . But my traces does not show these .
Can some body explain --
1) IS it necessary for a user to get a ticket to his/her local machine beforet he/she cant get the ticket to other resources on the network.
2) Does resources on the local workstation means only the kerborized resources.
3) If the user has not authenticated to his workstation how can he access other resources on the network.
Any pointer will be helpful.
Regds
Abhinav
More information about the Kerberos
mailing list