TGS granting

Benjamin Kaduk kaduk at
Wed Oct 31 12:00:37 EDT 2018

On Wed, Oct 31, 2018 at 02:36:39PM +0000, moore moore wrote:
> Hello,I hope I have the correct forum for some guidance.
> I have the following scenario:
> Clients(generally web based), linux proxy and windows server farm.The proxy is configured with a user that is configured for kerberos constrained delegation.A TGT is granted for this user with delegation enabled. 
> TGS are also granted and everything works OK. 
> However I have a resource utilization problem on the proxy where the windows servers are frequently requesting re authorization with 401 Negotiate. 
> This causes and intermediate process on the proxy to contact the KDC for new TGS.
> Is there a way for the intermediate process to generate service tickets without having to go to the KDC? It already has the TGT. 
> Or is a round trip to the KDC ( Windows AD) always required to get service tickets?

The TGT is used to authenticate to the TGS so that the TGS can issue
service tickets; the TGT alone is not enough to produce service tickets.

> Due to the connection behavior, there are very many TGS_REQs on the wire.
> Is there any way to optimize this behavior and avoid so much traffic back and forth to the KDC for TGS_REQ/TGS_RSP.

Are the 401 Negotiates doing credential delegation or just authentication?
For authentication the clients should be able to cache service tickets and
reuse them, without need for a TGS exchange for every HTTP authentication.


More information about the krbdev mailing list