Implementing IETF Draft on DNS use in Kerberos

Jeffrey Altman jaltman at
Thu Jul 18 14:45:00 EDT 2002

> I thought that the receipt of a valid TGT was proof for the client
> that it was dealing with a trusted KDC and thus the local realm lookup
> was valid.  If this is true, then it doesn't seem necessary to get a
> service ticket in order to validate the local realm lookup.  (I should
> point out that by client I mean client principal with an entry in the
> KDC's princ db.)

All it is proof of is that the KDC knows the user's key (based on

 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP            Secured with MIT Kerberos, SRP, and 
 kermit-support at               OpenSSL.

More information about the krbdev mailing list