replay of service tickets
sorinm at gmail.com
Wed Mar 16 05:33:53 EDT 2016
My apologies if it is not the right mailing list for asking this question.
I have a system consisting of an Authentication Server, a Backend and a
The Client first invokes the Authentication Server.
The Authentication Server executes
As a result, it obtains a kerberos service ticket that it sends to the
Next, the Client invokes the Backend and passes the obtained service ticket.
The Backend executes
The Client<->Authentication Server and Client<->Backend are HTTP. The
Client is oblivious to the fact that the data item it receives/sends is
a kerberos service ticket. For it it's just opaque data, so the Client
uses no GSS/Kerberos stack.
Assuming that the service ticket expires in N seconds, may the Client
perform several requests to the Backend using the same service ticket
(that is without making new requests to the Authentication Server)
during the N seconds until the ticket expiration?
I'm asking the question because I have two backends with two GSS stacks.
The backend with the binary GSS stack of MIT accepts the ticket several
times with no error. The second backend uses a Java GSS stack. It
accepts the ticket once but if I attempt a second request with the same
ticket then I get an exception indicating that I'm trying to replay the
ticket which it does not accept. Apparently the Java stack "remembers"
the ticket and rejects requests if it finds the ticket in its cache.
Which implementation obeys the standard? The Java one or the MIT GSS
stack? Are both approaches correct and is it just a matter of
configuring the two stacks?
Thank you in advance,
More information about the krbdev