non-KDC replay cache problems?

Nicolas Williams Nicolas.Williams at
Tue Dec 23 01:00:15 EST 2008

On Mon, Dec 22, 2008 at 01:11:50PM -0500, Tom Yu wrote:
> Has anyone experienced problems due to false positive conditions on an
> application replay cache?  [...]

Yes, this happens with Windows clients, where the Kerberos stack may
re-use a seconds and microseconds value, if multiple AP-REQs are
initiated in the same second, but with a different sub-session key.

> If it turns out that almost all of the problems are due to the KDC
> replay cache, we can consider turning off the KDC replay cache, as we
> believe that doing so poses negligible security consequences, and is
> substantially easier.

The KDC replay cache is not an issue, although the replay cache for
TGS-REQs needs to behave similarly to the AP-REQ replay cache.


More information about the Kerberos mailing list