[37032] in Kerberos
Re: Issue with kvno
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Mon Jun 1 14:11:54 2015
Date: Mon, 1 Jun 2015 14:11:32 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: vishal <vicky.recw@gmail.com>
In-Reply-To: <CAG-wCMt74DoFs+dSVnVm5M79SKN82S5y0rNSCvYB7k6Bdc=3Kw@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1506011402350.22210@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 29 May 2015, vishal wrote:
> My question is that why kvno is not always present in ticket and this
> ticket is basically which comes in TGS-RESP(from home domain) and sname is
> krbtgt for trusted domain in TGS-REQ.
>
> I see kvno only when new trust is created between domain and we join to
> domain. So under what situation kvno would be there in ticket?
>
> I hope it is clear.
I guess it's clear enough, for the answer "we don't know".
The kvno field in the ASN.1 EncryptedData type is an optional field, used
to assist the recipient in selecting which key to use to decrypt the data.
Given that the Microsoft KDC is generating this EncryptedData, we probably
would only know when it includes the kvno by examining its source code,
which is unavailable.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
