[30008] in Kerberos
Re: pre-authentication
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Tue Jun 24 08:50:05 2008
Message-ID: <4d569c330806240548o445ccdc9ra9d3faa4287f4882@mail.gmail.com>
Date: Tue, 24 Jun 2008 08:48:47 -0400
From: "Kevin Coffman" <kwc@umich.edu>
To: "naveen.bn" <naveen.bn@globaledgesoft.com>
In-Reply-To: <486082D9.7040304@globaledgesoft.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jun 24, 2008 at 1:15 AM, naveen.bn <naveen.bn@globaledgesoft.com> wrote:
>
> Hi Kevin,
>
> Guide on this , When i use require_preauth for the client and try to send
> the AS_REQ with pa-data using the command
> kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key naveen
>
> The first AS_REQ will go with out pa-data to the KDC, the kdc will replay
> with KRB5KDC_ERR_PREAUTH_REQUIRED (25) and the second AS_REQ will go from
> the client to the KDC with pa-data filled and i get a AS_REP back from kdc
> with the ticket.
> Please help me in finding the reason behind AS_REQ going twice from the
> client.
This is the intended behavior of the MIT client. In the KDC's
PREAUTH_REQUIRED reply, it informs the client which preauth methods
may be used (and possibly some parameters for the methods, such as
certificates in the PKINIT case). The client then chooses a method
and sends a request with pa-data for the mutually acceptable preauth
method.
K.C.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
