[EMAIL PROTECTED] (Tony Cowan) writes: > Someone tells me they've been sniffing and found that one particular > implementation does in fact hit the KDC to validate the ticket. > I wonder if it's actually hitting the KDC for some other purpose. > Getting further information perhaps .. I guess the "session" key > should be in the original message, so it shouldn't need to fetch that > ... I wonder what else it might be.
Perhaps they were thinking of the login verification process? At login time, you get a ticket-granting ticket, which the local machine has no way to validated directly because it doesn't have the key for the ticket-granting service. So it contacts the KDC to get a ticket for some local service (say, the remote-login service "host/foo.bar.com"), decrypts that, and uses that as confirmation that the original password supplied was valid. Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
