[36392] in Kerberos
client not responding to KDC_ERR_PREAUTH_REQUIRED
daemon@ATHENA.MIT.EDU (Ben H)
Mon Aug 18 12:56:42 2014
MIME-Version: 1.0
Date: Mon, 18 Aug 2014 11:56:32 -0500
Message-ID: <CAAd7auYN_rmAG2mPQgS0mSEuL9hOd4LYMUc55YGxWS3nQ6Fn7A@mail.gmail.com>
From: Ben H <bhendin@gmail.com>
To: Kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
We have an application that is experiencing some issues when tickets expire.
We receive the KRB_AP_ERR_TKT_EXPIRED from the KDC and then attempt to re
initiate with AS-REQ.
After re-negotiating over TCP (KRB_ERR_RESPONSE_TOO_BIG), the application
receives the KDC_ERR_PREAUTH_REQUIRED from the KDC (A Windows 2008 DC).
At this point, the client ACKs the session and then properly closes it down
(FIN,ACK). The problem is that the client never attempts to reissue an
AS-REQ with the PA-ENC-TIMESTAMP.
This does not occur all the time (like after a reboot), but in some cases
when it happens, the client simply can't renew its ticket.
I am simply trying to narrow this down to environmental factors, a kerberos
behavior, or simply an application bug.
I have never seen a client not respond to a KDC_ERR_PREAUTH_REQUIRED before
without some additional errors (like unsupported etype, etc.).
Can anyone help account for this behavior?
Thanks!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
