> The first problem is Java is sending the pa-enc-timestamp with the first > request. If it did not then you would get the (25) response. I think > that is the real solution. > > The pseudo code on page 92 says: > > if(client.pa_enc_timestamp_required and > pa_enc_timestamp not present) then > error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)); > endif > > If so since I already send the as-req > > automatically with the pa-enc-timestamp, if I get the > > KDC_ERR_PREAUTH_REQUIRED, > Don't send any pre-auth in the first request.
Thats sounds like a valid path to take. Of course pa_enc_timestamp_required would have to be a config set option that could be set to true or false. Some customers wouldn't want the performance hit of having to resend the as_req twice as workaround to comply with MS AD case name problem. But I do agree that I could create a parameter pa_enc_timestamp_required = false then send the as_req without an preauth, then handle the (25) scenario. This won't fix the problem if they set it to "true". The problem would possibly still arise for MS AD , but workable solution for people using MS AD 2003. Thanks for the input. Michael W. Chapel Java Kerberos/JGSS Development IBM/Tivoli Java Security Austin Texas ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos