Hi,
I'm trying to understand what's going on "under the hood" in WebAuth,
and one thing is puzzling me.
When I set "WebAuthSubjectAuthType krb5", I can see in wireshark (as
expected) that the TGT from the webkdc-proxy token is used to get a
service ticket.
But, isn't the authenticator in the PA-TGS-REQ AP-REQ structure
supposed to be encrypted with the session key from the TGT ?
So the question is, how do the WebKDC get knowledge of the TGT session key?
Maybe the premise for my question is wrong, but as far as I can see it's
not in the webkdc-proxy token (?), and I can't find any where it's
cached between being issued (when password is available to the WebKDC)
and usage. - I supposed that would have to be a file, since restarting
apache doesn't affect the SSO.
/Peter
