TGS granting

moore moore moore_chestnut at
Wed Oct 31 10:36:39 EDT 2018

Hello,I hope I have the correct forum for some guidance.
I have the following scenario:
Clients(generally web based), linux proxy and windows server farm.The proxy is configured with a user that is configured for kerberos constrained delegation.A TGT is granted for this user with delegation enabled. 

TGS are also granted and everything works OK. 

However I have a resource utilization problem on the proxy where the windows servers are frequently requesting re authorization with 401 Negotiate. 

This causes and intermediate process on the proxy to contact the KDC for new TGS.
Is there a way for the intermediate process to generate service tickets without having to go to the KDC? It already has the TGT. 
Or is a round trip to the KDC ( Windows AD) always required to get service tickets?
Due to the connection behavior, there are very many TGS_REQs on the wire.
Is there any way to optimize this behavior and avoid so much traffic back and forth to the KDC for TGS_REQ/TGS_RSP.
Appreciate any guidance. 

Thank you. 

More information about the krbdev mailing list