How to use FAST in TGS requests

Srinivas Cheruku srinivas.cheruku at
Thu May 28 00:58:13 EDT 2009

>-----Original Message-----
>From: Sam Hartman [mailto:hartmans at]
>Sent: 27 May 2009 22:11
>To: Greg Hudson
>Cc: Srinivas Cheruku; 'krbdev at'
>Subject: Re: How to use FAST in TGS requests
>>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:
>    Greg> On Wed, 2009-05-27 at 14:32 +0530, Srinivas Cheruku wrote:
>    >> How can I use client code to get service ticket using FAST?
>    Greg> My understanding is that we have not implemented FAST for
>    Greg> TGS-REQs yet.  (We did implement using a subkey for TGS-REQs
>    Greg> as an intermediate step, which uncovered four different
>    Greg> interoperability problems in three different Kerberos
>    Greg> implementations.)
>I have an implementation of FAST TGS requests that was used during
>interop testing.  I believe that the KDC on the trunk supports FAST
>TGS correctly; it works against my implementation and against another
>vendor's implementation.
[Srinivas Cheruku] Does your implementation use subkeys in AP-REQ (in
PA-TGS-REQ padata) in TGS-REQ? I saw a thread (by Greg Hudson) where there
were interoperability issues when using subkeys in TGS-REQ and so did you do
anything extra other than adding FAST to TGS code in MIT? I just want to
understand what changes made it work against another vendors implementation.

>I have not checked in the FAST TGS client side changes for two
>reasons.  First, as currently written, it breaks interop with non-FAST
[Srinivas Cheruku] The PA-TGS-REQ is in the outer request along with
PA-FX-FAST, so how will it break the interop with non-FAST KDCs? Can you
please explain?

 Secondly, there was some discussion of when we want to try FAST
>with the TGS.  I think it would be fine to experiment with that for
>the 1.8 release, but I felt that it was very late in the 1.7 process
>to make that decision.
[Srinivas Cheruku] ok


More information about the krbdev mailing list