disallow requests naming principal as a service

John Brezak jbrezak at windows.microsoft.com
Tue Mar 26 18:10:00 EST 2002

Since the response is not authenticated, the client should not wholely
depend on the KDC to guide its action.

Ultimately, the client's policy should determine what action to take
when the KDC is not able to provide a ticket for the requested service.
However, it would become very inefficient for the client to always try
user2user if the KDC failed to return a service ticket.

-----Original Message-----
From: Sam Hartman [mailto:hartmans at MIT.EDU] 
Sent: Tuesday, March 26, 2002 2:59 PM
To: Moore, Patrick
Cc: krbdev at MIT.EDU; John Brezak (E-mail); 'Nicolas Williams'; Matt
Subject: Re: disallow requests naming principal as a service

>>>>> "Moore," == Moore, Patrick <pcmoore at sandia.gov> writes:

    Moore,> With this suggested fix, my client would need to try a U2U
    Moore,> handshake upon getting a PRINC_UNKNOWN error from the MIT
    Moore,> KDC.  Not streamlined - but functional enough. Long term,
    Moore,> I'd prefer using KDC_ERR_MUST_USE_USER2USER and report
    Moore,> that back to the client when you see that DUP_SKEY is
    Moore,> allowed but SVR is not.

You should not design protocols in such a manner that you need KDC
responses in order to determine whether you're going to use U2U or not.
This was one of the more annoying features of the GSSAPI U2U draft.

More information about the krbdev mailing list