Decrypting KRB_CRED in AP_REQ

Weijun Wang at
Thu Mar 31 21:38:34 EDT 2011

On 03/31/2011 10:52 PM, Greg Hudson wrote:
> On Thu, 2011-03-31 at 00:17 -0400, Weijun Wang wrote:
>> Here, it seems the decrypt key should be the session key of the service
>> ticket. What shall I do if the authenticator has a subkey?
> You should still use the session key of the service ticket.
> Heimdal and MIT krb5 both attempt to decrypt with the session key and
> subkey.  But Microsoft Kerberos only decrypts with the session key.  We
> found this out the hard way when we accidentally started encrypting
> GSSAPI forwarded creds with the subkey in 1.8.

So, the following paragraph on is about 
this issue?

    * Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
      Kerberos and Microsoft Kerberos; resolve this incompatibility.  As a
      result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
      produce undesirable results for constrained delegation.  Again,
      another reason to replace 1.8 with 1.8.1 as soon as possible.

I cannot find a bug id related. Is the old behavior back in 1.8.1?


>> So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this
>> specific application session"?
> I would not say that GSSAPI forwarded creds belong to the application
> session, no.  At any rate, the more specific statement in RFC 4121 takes
> precedence.
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list