IIS refuse un-preauth-ed tickets?

John Washington jawashin at uiuc.edu
Tue Feb 19 12:11:11 EST 2008


There is a requirement that preauth'ed service accounts (which IIS would  
have) only accept preauthed tickets.

* Speedo <speedogoo at gmail.com> [2008-02-19 10:32]:
> Sorry to post into 2 groups.
> 
> I have a Java application using Kerberos to talk to IIS on a Windows
> domain. First I call java's kinit and then use the acquired initial
> TGT to connect to IIS with JGSS. When the initial ticket is pre-
> authed, I can get the web content. However, if I set the user account
> as "do not require preauth" and acquire such an un-preauth-ed initial
> TGT, and then get a service ticket for IIS using this TGT, it seems
> this ticket cannot be used to retrieve pages from IIS (using SPNEGO).
> Is this a designed feature?
> 
> Thanks
> Speedo
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
John Washington       Security Officer, 
University of Illinois Urbana-Champaign
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080219/e488ba11/attachment.bin


More information about the Kerberos mailing list