pre-authentication
Kevin Coffman
kwc at umich.edu
Tue Jun 24 08:48:47 EDT 2008
On Tue, Jun 24, 2008 at 1:15 AM, naveen.bn <naveen.bn at globaledgesoft.com> wrote:
>
> Hi Kevin,
>
> Guide on this , When i use require_preauth for the client and try to send
> the AS_REQ with pa-data using the command
> kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key naveen
>
> The first AS_REQ will go with out pa-data to the KDC, the kdc will replay
> with KRB5KDC_ERR_PREAUTH_REQUIRED (25) and the second AS_REQ will go from
> the client to the KDC with pa-data filled and i get a AS_REP back from kdc
> with the ticket.
> Please help me in finding the reason behind AS_REQ going twice from the
> client.
This is the intended behavior of the MIT client. In the KDC's
PREAUTH_REQUIRED reply, it informs the client which preauth methods
may be used (and possibly some parameters for the methods, such as
certificates in the PKINIT case). The client then chooses a method
and sends a request with pa-data for the mutually acceptable preauth
method.
K.C.
More information about the Kerberos
mailing list