Kerberos KRB_AP_REQ message - Server name verification required ?

Vipul Mehta vipulmehta.1989 at gmail.com
Fri Mar 19 14:17:49 EDT 2021


Hi,

Suppose there are two servers A and B running under different kerberos
service principals.
If both the service principals have same password and kvno then kerberos
long term encryption key will be same for both. Seems to be the case for
windows KDC.

In such case, a client having service ticket for A tries to authenticate
with that ticket with server B, should it work ? It is working fine in JDK
implementation.

https://tools.ietf.org/html/rfc1510#page-21 : in RFC it is not clear
whether server should validate server principal in the service ticket when
KRB_AP_REQ message is received. Looks like just decryption with key is
sufficient along with some other validations but i don't find server name
validation explicitly mentioned.
-- 
Regards,
Vipul


More information about the Kerberos mailing list