How to use FAST in TGS requests
Srinivas Cheruku
srinivas.cheruku at gmail.com
Thu May 28 00:58:13 EDT 2009
>-----Original Message-----
>From: Sam Hartman [mailto:hartmans at mit.edu]
>Sent: 27 May 2009 22:11
>To: Greg Hudson
>Cc: Srinivas Cheruku; 'krbdev at mit.edu'
>Subject: Re: How to use FAST in TGS requests
>
>>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:
>
> Greg> On Wed, 2009-05-27 at 14:32 +0530, Srinivas Cheruku wrote:
> >> How can I use client code to get service ticket using FAST?
>
> Greg> My understanding is that we have not implemented FAST for
> Greg> TGS-REQs yet. (We did implement using a subkey for TGS-REQs
> Greg> as an intermediate step, which uncovered four different
> Greg> interoperability problems in three different Kerberos
> Greg> implementations.)
>
>I have an implementation of FAST TGS requests that was used during
>interop testing. I believe that the KDC on the trunk supports FAST
>TGS correctly; it works against my implementation and against another
>vendor's implementation.
>
[Srinivas Cheruku] Does your implementation use subkeys in AP-REQ (in
PA-TGS-REQ padata) in TGS-REQ? I saw a thread (by Greg Hudson) where there
were interoperability issues when using subkeys in TGS-REQ and so did you do
anything extra other than adding FAST to TGS code in MIT? I just want to
understand what changes made it work against another vendors implementation.
>I have not checked in the FAST TGS client side changes for two
>reasons. First, as currently written, it breaks interop with non-FAST
>KDCs.
[Srinivas Cheruku] The PA-TGS-REQ is in the outer request along with
PA-FX-FAST, so how will it break the interop with non-FAST KDCs? Can you
please explain?
Secondly, there was some discussion of when we want to try FAST
>with the TGS. I think it would be fine to experiment with that for
>the 1.8 release, but I felt that it was very late in the 1.7 process
>to make that decision.
[Srinivas Cheruku] ok
Thanks,
Srini
More information about the krbdev
mailing list