Replaying and server side caching.

Ken Hornstein kenh at
Mon Apr 14 11:07:40 EDT 2003

>> I understand why you would allow this for UDP, but in our experience,
>> we found that if the TGT request got to the KDC, it was extremely
>> unlikely for the TGT response to not find its way back to the client
>> in a normal operational environment.
>Is your "normal" environment restricted to one organization's private
>network? And uniform software? Mine reaches four continents with
>multiple implementations. I would not activate a KDC anti-replay
>feature, knowing that at least some implementations resend the same

"What he said".  I actually summarize my logs weekly and look for this,
and I see a bunch of retransmissions from inside of our own network in
addition to the ones from outside of our network.  It's enough that
I would never enable such a thing.


More information about the krbdev mailing list