Auditing Feature in Kerberos

Jeffrey Hutzelman jhutz at
Tue Apr 4 18:35:04 EDT 2006

On Tuesday, April 04, 2006 05:03:36 PM -0400 Jeffrey Altman 
<jaltman at> wrote:

> greg at wrote:
>> I proposed an exact correllation mechanism in this thread last week.
>> It should be in the archives.
> you suggested the kdc insert a serial number into an authz data type.
>> In the meantime I coded up basic support for it in our authorization
>> payloads.  Its trivially easy to implement.
>> I have difficulty understanding the inertia associated with doing this
>> right.  Especially when the word 'audit' is involved.
> I believe the issue is that we do not believe that there has been
> consensus on what is "right".  Inserting a serial number into tickets
> issued by the kdc can be used to associate the tickets issued in the
> TGS-REP with the TGS-REQ.  It can't be used to associate the AS-REP
> with the AS-REQ.  For this I believe you must use a hash of the request
> and a hash of the reply.

Huh?  The audit log is being generated by the KDC.  It knows which AS-REP 
goes with which AS-REQ because it's the AS.  For an audit trail, the 
interesting thing is associating TGS transactions with the earlier AS 
transaction that resulted in the TGT.  That is, associating an AS-REP with 
one or more later TGS-REQ's made using that ticket.  For that purpose, a 
hash of the TGT can be used.

A serial number in authz data would work too, as long as you're careful to 
insure that serial numbers don't get reused in a multi-KDC realm or across 
a KDC restart.  However, I don't see why inventing a new AD type for this 
purpose is better than just hashing the relevant ticket.

-- Jeff

More information about the krbdev mailing list