Re: Java Pre-auth for Windows 2003 mixed case revival

Thu, 10 Feb 2005 12:29:48 -0800 



Mike Chapel wrote:

The first problem is Java is sending the pa-enc-timestamp with the first
request. If it did not then you would get the (25) response. I think
that is the real solution.

The pseudo code on page 92 says:

if(client.pa_enc_timestamp_required and
          pa_enc_timestamp not present) then
               error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
       endif

If so since I already send the as-req
automatically with the pa-enc-timestamp, if I get the
KDC_ERR_PREAUTH_REQUIRED,

Don't send any pre-auth in the first request.


Thats sounds like a valid path to take. Of course
pa_enc_timestamp_required would have to be a config set option that
could be set to true or false. 

The KDC has the option to require pre-auth, and most sites require it.

Some customers wouldn't want the
performance hit of having to resend the as_req twice as workaround to
comply with MS AD case name problem. 

The performance is negligible and only only occurs when the user
types in a password so it is hardly noticeable.

Since all other Kerberos clients that I have seen don't have this
client side option, If you add an option, please default it to false
and it will work everywhere.

In the future as PKINIT and /or other pre-auths are implemented, you
may have to send in the first request without any pre-auth just to find
out what the KDC will accept so you might as well do it now too.

But I do agree that I could
create a parameter pa_enc_timestamp_required = false then send the
as_req without an preauth, then handle the (25) scenario. This won't
fix the problem if they set it to "true". The problem would possibly
still arise for MS AD , but workable solution for people using MS AD
2003.


False should work with any KDC.


Thanks for the input. 

We are looking forward to this fix.


Michael W. Chapel
Java Kerberos/JGSS Development
IBM/Tivoli Java Security Austin Texas




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to