Douglas E. Engert wrote:
MWChapel wrote:
which it fails, and since the pa-enc-timestamp is included,
windows should throw a KDC_ERR_PREAUTH_FAILED(24) as per rfc1510. But
the previous note is stating that we aren't handling the error 24. That
is where I tend to disagree, with the
On Monday, February 14, 2005 01:34:20 PM -0800 Seema Malkani
[EMAIL PROTECTED] wrote:
Maybe the next Kerberos clarifications should clarify this particular
scenario.
A large part of the problem here is that KRB-ERROR does not actually have a
complete extension mechanism. It has e-data, which
To anseret your last question first, read:
Generalized Framework for Kerberos Pre-Authentication
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-02.txt
I think it clarifies all the questions you have. In section 2:
when a Kerberos client wishes to obtain a ticket using
Hello,
I am working on figuring a solution to the Java conundrum that was
stated in an earlier thread last month i.e.:
Sun's implementation of Java GSS/Kerberos currently supports
PA-ENC-TIMESTAMP as per RFC 1510. The new pre-authentication types
specified in the Kerberos clarifications
MWChapel wrote:
Hello,
I am working on figuring a solution to the Java conundrum that was
stated in an earlier thread last month i.e.:
Sun's implementation of Java GSS/Kerberos currently supports
PA-ENC-TIMESTAMP as per RFC 1510. The new pre-authentication types
specified in the Kerberos
Mike Chapel wrote:
The first problem is Java is sending the pa-enc-timestamp with the first
request. If it did not then you would get the (25) response. I think
that is the real solution.
The pseudo code on page 92 says:
if(client.pa_enc_timestamp_required and
pa_enc_timestamp not
The first problem is Java is sending the pa-enc-timestamp with the first
request. If it did not then you would get the (25) response. I think
that is the real solution.
The pseudo code on page 92 says:
if(client.pa_enc_timestamp_required and
pa_enc_timestamp not present) then
On 1108067146 seconds since the Beginning of the UNIX epoch
Douglas E. Engert wrote:
In the future as PKINIT and /or other pre-auths are implemented, you
may have to send in the first request without any pre-auth just to find
out what the KDC will accept so you might as well do it now too.
Even
