disallow requests naming principal as a service

Sam Hartman hartmans at MIT.EDU
Tue Mar 26 18:25:00 EST 2002

>>>>> "John" == John Brezak <jbrezak at windows.microsoft.com> writes:

    John> However in many protocols, you haven't started your
    John> conversation with the server yet to know what it expects. In
    John> the normal Kerberos case as long as the KDC gives you a
    John> ticket, you know that the server must support Kerberos. The
    John> KDC is a trusted-third party that does play a role in
    John> defining the security policy of a realm.

In your environment this may be true.  In my environment it is not; I
have a bunch of hosts that I can get v5 tickets for but only using v4
services will actually work.

More over, there are likely cases when both u2u and normal operation
will be permitted by the KDC, but only one of them is appropriate at
the current time/for the current protocol.

My objection is not to the error return existing or even to the
security implications of using it.  My objection is to what I see as a
bad engineering decision in writing a protocol that does not provide
some authentication mechanism negotiation or that does not use that
negotiation to determine wwhether to use U2U or normal Kerberos.

More information about the krbdev mailing list