Sanford, You might be able to turn off replay detection. However, if you are able to turn it off it would be less secure.
Tim. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 10 October 2003 21:12 To: Tim Alsop Cc: [EMAIL PROTECTED] Subject: RE: Kerberos Implementation in a distributed Windows environment That's correct, and is one of the propsed solution. However, that would make the system not very scalable, and also makes it harder to maintain. I was just wondering whether what people thinks about this...is there anthoer way? Thanks Regards Sanford _______________________________ Sanford Sham Accenture Melbourne - 360 Elizabeth Street Direct dial: +61 3 9838 8429 VPN & Octel: 286/8429 Fax: +61 3 9838 7100 email: [EMAIL PROTECTED] Tim Alsop <[EMAIL PROTECTED] To: Sanford Sham/Internal/[EMAIL PROTECTED], [EMAIL PROTECTED] UK> cc: Subject: RE: Kerberos Implementation in a distributed Windows environment 10/10/2003 03:55 PM Sanford, Is it possible for you to use a unique Kerberos principal for each service on the EAI boxes ? This would avoid replay attack detection issues. Thanks, Tim. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 08 October 2003 00:52 To: [EMAIL PROTECTED] Subject: Re: Kerberos Implementation in a distributed Windows environment Hi I'm just writing to ask a question, currently related to my project. We are trying to implement Kerberos security in our distributed Windows environment. We have, more than one, dedicated Windows 2k boxes (let's called them EAI boxes) that are used to communicate with WebSphere servers, using Kerberos tickets etc. We have more than one EAI boxes that's online at any given time. All the NT services are hosted under the same Windows domain account. Bascially, it's as if the same domain account is used to host multiple services, on multiple machines. The problem comes when simultaneous transactions are conducted. Let's say all EAI boxes fires a transactions to the same Websphere services at the same time. Since it's hosted by the same domain account, the user that is seen on the kerberos ticket is the same. Also, since it is fired at the same time, the timestamp is the same (or very close). Therefore, after receiving the first transactions, Websphere rejects all subsequent transactions on the basis of duplicate Kerberos tickets being sent (or replay). Microsoft says that there is nothing they can do to fix this. They argue that the standard specifies that only [Client Id, Timestamp] is used in the authenticator, and they would not modify this to make the authenticator more unique. Can you provide a view on this? Thanks very much for you help. Regards Sanford This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
