Armor key negotiation in FAST Simon.Jansen at
Fri Oct 26 07:27:00 EDT 2012


I am currently trying to understand the functionality of the FAST extension described in RFC 6113. 
Referring to the standard, FAST provides a secure tunnel between the client and the KDC for the whole pre-authentication conversation by encrypting the pre-authentication messages with an armor key and by ensuring the integrity of the messages. FAST has to provide a fresh armor key for each conversation. From the RFC I can not see how the armor key is negotiated initially in the AS request. The RFC sais on page 27 that the armor field has to be present in an AS-REQ. But how is ensured that both the client and the KDC know the key to decrypt the pre-authentication data?

I read in the MSDN ( that clients first obtain an TGT for the computer principal. This conversation is not armored. Then they use the computer TGT for armoring the user's AS exchange. Is this the standard behavior or a Microsoft specific implementation?

Thanks in advance!


More information about the Kerberos mailing list