Can you provide any references or documentation on this? I have looked through all of the Microsoft documents I can get a hold of, and can find no information on this.
Thanks, Michael > Date: Fri, 7 Feb 2003 01:49:12 +1100 > From: Luke Howard <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: Architectural Question ... > Message-ID: <[EMAIL PROTECTED]> > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=US-ASCII > MIME-Version: 1.0 > Precedence: list > Reply-To: [EMAIL PROTECTED] > Message: 4 > > > If a Windows 2000 service is not running as the local system account, > then the Local Security Authority will contact the KDC to validate > the authorisation data in the ticket. This is to prevent a service > running with least privilege from forging a ticket to itself with > more privileged authorisation data. > > In practice the only the Local Security Authority has access to the > service key so this attack would not be possible. It certainly adds > a layer of complexity as far as interoperability is concerned. > > -- Luke > > >From: [EMAIL PROTECTED] (Tony Cowan) > >Subject: Re: Architectural Question ... > >To: [EMAIL PROTECTED] > >Date: 6 Feb 2003 06:03:30 -0800 > >Organization: http://groups.google.com/ > > > >> No, that's the beauty of Kerberos. > > > >Thanks Luke. > >Someone tells me they've been sniffing and found that one particular > >implementation does in fact hit the KDC to validate the ticket. > >I wonder if it's actually hitting the KDC for some other purpose. > >Getting further information perhaps .. I guess the "session" key > >should be in the original message, so it shouldn't need to fetch that > >... I wonder what else it might be. > > > >Cheers, > >Tc. > >________________________________________________ > >Kerberos mailing list [EMAIL PROTECTED] > >https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > Luke Howard | PADL Software Pty Ltd | www.padl.com > ------------------------------ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
