Hello,
Apologies if this is a dumb question - I've searched and searched but cant find an
answer: is there any way to configure the (MIT?) Kerberos client[1] to always send
"PA-ENC-TIMESTAMP" preauthentication with the initial 'AS-REQ' interaction?
I'm simply trying to remove the duplication when using a W2K Active Directory KDC
whereby the first AS-REQ results in a KRB-ERROR response indicating
"KRB5KDC_ERR_PREAUTH_REQUIRED" (and I believe at this point kinit requests the
password?); the AS-REQ is resent, this time using the timestamp preauthentication, and
a TGT is granted successfully ('AS-REP').
Perhaps I've missed the point, but should it not be possible to configure the client
to always send preauth, and hence remove the initial redundant protocol interaction?
Any help much appreciated.
[1] I'm using Redhat 8.0 with Kerberos 1.2.5-8 client
PS - I would never have known this was occuring if it wasnt for the security failure
audits on the W2K Domain Controller indicating "Additional pre-authentication
required", error code 0x19; this is then followed by the successful granting of a TGT
for the target principal.
--
Justin Wood, Directory Specialist
Directory Technologies, H&I
Telstra Technology
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
