MIT Kerberos and TN5250

Jeffrey Altman jaltman at MIT.EDU
Tue Jul 13 08:56:03 EDT 2004


As one of the editors of RFC 2942: Telnet Authentication: Kerberos 5, I 
can assure you that the
use of the canonicalize flag is not a requirement for TELNET AUTH KRB5.  
In fact, the canonicalize
flag did not exist in any implementation at the time that TELNET AUTH 
KRB5 was originally

The most important thing to remember is that obtaining a TGT is not part 
of the specification.
The TELNET AUTH KRB5 exchange relies entirely on service tickets; not 
TGTs.  Of course,
you must be in possession of a valid TGT in order to attempt to obtain 
the service ticket for
"host"/fqdn at REALM.

What is it that you are attempting to implement?  Are you attempting to 
perform the equivalent
of a "kinit" operation to obtain a TGT?  If so, this has nothing to do 
Are you attempting to obtain a service ticket for the TN5250 service?  
If so, that would make more
sense?   Then the question is "what service principal are you requesting 
and what do you expect back?"

Jeffrey Altman

Erez Pasternak wrote:

>Hi Sam,
>Does anyone tried (and successed) to connect to Iseries in TN5250 with kerberos ?
>Erez P
>-----Original Message-----
>From: Sam Hartman [mailto:hartmans at]
>Sent: Tuesday, July 06, 2004 10:00 PM
>To: Erez Pasternak
>Cc: krbcore at; krbdev at
>Subject: Re: MIT Kerberos and TN5250
>>>>>>"Erez" == Erez Pasternak <Erez.Pasternak at> writes:
>    Erez> Hi MIT developers, We are using MIT Kerberos to provide
>    Erez> Kerberos support for Terminal Emulation.  When connecting
>    Erez> with AS/400 (iseries) in TN5250 protocol we saw that AS/400
>    Erez> uses a flag name "canonicalize" when asking for a TGT.  I
>    Erez> see in the source code that this flag is missing (
>    Erez> TKT_FLG_RESERVED 0x00010000 ) Is there any ways to make this
>    Erez> work?
>You failed to explain what is actually failing or not working.
>What erronious behavior do you see?  Is some request failing?  If so,
>krbdev mailing list             krbdev at

More information about the krbdev mailing list