Is this TGS-REP legal now?
Weijun.Wang at sun.com
Thu Mar 18 09:40:14 EDT 2010
How do I interpret "the only case" below? It sounds like KDC should only return a referral if the request is for a TGT.
3.3.3. Generation of KRB_TGS_REP Message
The response will include a ticket for the requested server or for a
ticket granting server of an intermediate KDC to be contacted to
obtain the requested ticket. The Kerberos database is queried to
retrieve the record for the appropriate server (including the key
with which the ticket will be encrypted). If the request is for a
TGT for a remote realm, and if no key is shared with the requested
realm, then the Kerberos server will select the realm 'closest' to
the requested realm with which it does share a key and use that realm
instead. This is the only case where the response for the KDC will
be for a different server than that requested by the client.
On Mar 18, 2010, at 9:17 PM, Sam Hartman wrote:
> RFC 4120 has always allowed a KDC to return a referral to a different
> realm than the one requested by the client.
More information about the krbdev