Hi, Suppose there are two servers A and B running under different kerberos service principals. If both the service principals have same password and kvno then kerberos long term encryption key will be same for both. Seems to be the case for windows KDC.
In such case, a client having service ticket for A tries to authenticate with that ticket with server B, should it work ? It is working fine in JDK implementation. https://tools.ietf.org/html/rfc1510#page-21 : in RFC it is not clear whether server should validate server principal in the service ticket when KRB_AP_REQ message is received. Looks like just decryption with key is sufficient along with some other validations but i don't find server name validation explicitly mentioned. -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos