Simo Sorce <s...@redhat.com> writes: > By default MIT's GSSAPI (and Heimdal's if I recall) enables the replay > cache, but some modules (notoriously mod_auth_kerb) just disable it.
It's very challenging to use the replay cache with mod_auth_kerb and a typical web application and security configuration, since it redoes an authentication on every page fetch and therefore generates a ton of Kerberos authentication requests in a very small timeframe. Historically, this has caused replay cache collisions, which is why the replay cache is always turned off, since otherwise most protected web sites became inaccessible due to all the replay cache rejections. I think modern replay caches may no longer have this collision issue? -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos