TGS-REP TICKET decrypting problem

somenath saha saha.somenath.88 at gmail.com
Fri Jun 13 02:06:28 EDT 2014 

hi wang,

is it right?
Let there are two client CLIENT-1 and Clinet-2. now suppose CLIENT-1 get an
ticket from KDC in TGS_REP message as he want to communicate with CLIENT-2.
now CLIENT-1 forward this ticket to CLIENT-2 in AP_REQ message. now
CLIENT-2 must have right to decrypt the ticket to get the shared key..  am
i right???

check the attached image and confirm me i'm right or not.




On Fri, Jun 13, 2014 at 11:10 AM, Wang Weijun <weijun.wang at oracle.com>
wrote:

> The service ticket is meant to be read by the service. The client should
> not be able to decrypt it.
>
> --Max
>
> On Jun 13, 2014, at 13:11, somenath saha <saha.somenath.88 at gmail.com>
> wrote:
>
> > hi wang,
> >
> > yes i can create keytab file and grab the necessary key from there. but
> it is not my intention. i don't want to take any help from KDC as i want to
> write separate code for client. why should client take the key from KDC.
> client have to prepare it and must decrypt the ticket..
> >
> >
> > On Fri, Jun 13, 2014 at 10:36 AM, Wang Weijun <weijun.wang at oracle.com>
> wrote:
> > Didn't you already created a keytab file using esedbexport and
> dskeytab.py? Inside it there is one key that should decrypt the service
> ticket.
> >
> > --Max
> >
> > On Jun 13, 2014, at 13:00, somenath saha <saha.somenath.88 at gmail.com>
> wrote:
> >
> > > hi danilo and other
> > >
> > > I forgot to mention something about my setup.  I am running an Active
> Directory domain on a Windows Server 2012 machine with two Windows (windows
> server 2012) clients joined to the domain. In windows server 2012 i create
> a user "krbtest" and password of this user is "Krbtest2012". now i prepare
> a key using the user credential i.e username "krbtest " , its password and
> corresponding domain and enctype. Using this key i can decrypt the AS_REP
> message. but i can't decrypt the TGS_REP ticket using that key. please help
> me out and inform me if you need any other details..
> > >
> > >
> > > On Thu, Jun 12, 2014 at 11:59 AM, somenath saha <
> saha.somenath.88 at gmail.com> wrote:
> > > Danilo,
> > >
> >
> >
>
>

More information about the krbdev mailing list