HW-AUTHENT flag question

Will Fiveash William.Fiveash at sun.com
Tue Feb 9 20:05:32 EST 2010

Someone sent me this question:

Microsoft makes a confusing statement in "[MSKILE]"
http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-KILE%5D.pdf :

    The HW-AUTHENT flag
    ([RFC4120]<http://go.microsoft.com/fwlink/?LinkId=90458> section 2.1):
    This flag was originally intended to indicate that hardware-supported
    authentication was used during pre-authentication. This flag is no
    longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a
    ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is
    set by another KDC.

Who said that it "is no longer recommended"? I did not hear anything
like this elsewhere and IMHO this the exact opposite of what makes

What is the current take on HW-AUTHENT flag?

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list