Question on validating Kerberos Ticket (From one machine to another)

Russ Allbery rra at
Tue Jun 26 18:18:15 EDT 2007

first last <swtest9 at> writes:

> Here is the scenario.  I want to piggyback onto the authentication
> mechanism in place.  For my purposes, Windows Active Directory. So here
> is the picture which assumes authenticated Windows client:

>  Windows Client         Linux Client       Active Directory (KDC)
>  --------------         ------------       ----------------------
>      |                      |                      |
>      |--------------------->|                      |
>      | Transfer credentials |                      |
>      |                      |                      |
>      |                      |--------------------->|
>      |                      | Present credentials  |
>      |                      |                      |
>      |                      |<---------------------|
>      |                      |     Valid/Invalid    |

I'm fairly sure that this isn't really the answer that you want to get,
but most people on this list are probably going to tell you that a secure
design here requires authenticating the Windows Client to the Linux Client
using something like GSSAPI.  GSSAPI is the recommended way of doing
Kerberos authentication on the network; it's possible to use the raw
Kerberos v5 calls, and some protocols do that, but GSSAPI is

If you use GSSAPI to protect the connection between the Windows Client and
the Linux Client, the verification of credentials against AD will happen
"automatically" as part of the GSSAPI authentication exchange between the
two systems.

BTW, this question, since it's not really about developing MIT Kerberos
itself, is probably better suited for the kerberos at mailing list.

Russ Allbery (rra at             <>

More information about the krbdev mailing list