communications with KDC in calling krb5_get_init_creds_password()
Greg Hudson
ghudson at MIT.EDU
Wed Jun 25 15:45:38 EDT 2014
On 06/25/2014 03:05 PM, Bin Lu wrote:
> 1. Why the API needs to talk to KDC twice in order to validate the password? As I understand all it needs is to check if it can decrypt the TGS session key returned in the 1st response.
If the KDC requires preauthentication for that principal, two
round-trips are usually needed. The first reply indicates what preauth
mechanisms the KDC supports, and the second contains the actual ticket.
> 2. What data it receives from KDC would cause response TOO BIG in this API, the credential?
Probably a large PAC
(http://msdn.microsoft.com/en-us/library/cc237917.aspx) in the
authorization data of the ticket.
More information about the krbdev
mailing list