[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: communications with KDC in calling krb5_get_init_creds_password()
From: Greg Hudson <ghudson () MIT ! EDU>
Date: 2014-06-25 19:45:38
Message-ID: 53AB26E2.5020803 () mit ! edu
[Download RAW message or body]
On 06/25/2014 03:05 PM, Bin Lu wrote:
> 1. Why the API needs to talk to KDC twice in order to validate the password? \
> As I understand all it needs is to check if it can decrypt the TGS session key \
> returned in the 1st response.
If the KDC requires preauthentication for that principal, two
round-trips are usually needed. The first reply indicates what preauth
mechanisms the KDC supports, and the second contains the actual ticket.
> 2. What data it receives from KDC would cause response TOO BIG in this API, \
> the credential?
Probably a large PAC
(http://msdn.microsoft.com/en-us/library/cc237917.aspx) in the
authorization data of the ticket.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic