non-KDC replay cache problems?
Nicolas.Williams at sun.com
Tue Dec 23 01:00:15 EST 2008
On Mon, Dec 22, 2008 at 01:11:50PM -0500, Tom Yu wrote:
> Has anyone experienced problems due to false positive conditions on an
> application replay cache? [...]
Yes, this happens with Windows clients, where the Kerberos stack may
re-use a seconds and microseconds value, if multiple AP-REQs are
initiated in the same second, but with a different sub-session key.
> If it turns out that almost all of the problems are due to the KDC
> replay cache, we can consider turning off the KDC replay cache, as we
> believe that doing so poses negligible security consequences, and is
> substantially easier.
The KDC replay cache is not an issue, although the replay cache for
TGS-REQs needs to behave similarly to the AP-REQ replay cache.
More information about the Kerberos