replay of service tickets

Sorin Manolache sorinm at
Wed Mar 16 05:33:53 EDT 2016


My apologies if it is not the right mailing list for asking this question.

I have a system consisting of an Authentication Server, a Backend and a 

The Client first invokes the Authentication Server.

The Authentication Server executes


As a result, it obtains a kerberos service ticket that it sends to the 

Next, the Client invokes the Backend and passes the obtained service ticket.

The Backend executes


The Client<->Authentication Server and Client<->Backend are HTTP. The 
Client is oblivious to the fact that the data item it receives/sends is 
a kerberos service ticket. For it it's just opaque data, so the Client 
uses no GSS/Kerberos stack.

Assuming that the service ticket expires in N seconds, may the Client 
perform several requests to the Backend using the same service ticket 
(that is without making new requests to the Authentication Server) 
during the N seconds until the ticket expiration?

I'm asking the question because I have two backends with two GSS stacks. 
The backend with the binary GSS stack of MIT accepts the ticket several 
times with no error. The second backend uses a Java GSS stack. It 
accepts the ticket once but if I attempt a second request with the same 
ticket then I get an exception indicating that I'm trying to replay the 
ticket which it does not accept. Apparently the Java stack "remembers" 
the ticket and rejects requests if it finds the ticket in its cache.

Which implementation obeys the standard? The Java one or the MIT GSS 
stack? Are both approaches correct and is it just a matter of 
configuring the two stacks?

Thank you in advance,

More information about the krbdev mailing list