Simultaneous TGT requests for the same principal

Greg Hudson ghudson at MIT.EDU
Mon Feb 24 15:09:04 EST 2014


On 02/24/2014 02:17 PM, Ben H wrote:
> I would like to know if there are any known limitations in modern kerb
> implementations that would cause failures of TGT tickets to be issued if
> the same principal was requesting them simultaneously.

Not that I'm aware of.

> If no - why not?  What is the data structure being used to prevent this?

The Kerberos authentication protocol does not require a replay cache.
In fact, since Kerberos requests may be retransmitted over UDP, a KDC
must be willing to respond to the same request twice.  In the MIT KDC,
we do use a lookaside cache so that we usually respond to identical
requests with identical replies, but that isn't really necessary and
shouldn't cause any authentication failures.

Aside from that, simultaneous AS requests will usually be different
because they contain a random 32-bit nonce.  Preauthenticated requests
will also be different because of the confounder in the encrypted
timestamp (or similar protocol elements for other preauth mechanisms).


More information about the Kerberos mailing list