NetSteady wrote: > We are just trying to replicate the proceses that Kerberos for Windows > goes through, and the only traffic that we see from a windows machine > to a Kerberos KDC is the AS-REQ and AS-REP exchange. The process is > supposed to be as simple and fast as possible for password validation, > as our possible implementations will serve locations with up to 100,000 > credentials. > > The pasword validation will act as part of a three-factor > authentication. Username validation is only one of the factors, and the > other two are VERY hard to spoof. > > On the other hand, does anyone know of an existing DLL that will allow > us to make calls to it, processing the credentials? > > Chris
KFW does not perform password validation. The tickets obtained by KFW are not used as a sign of permission to logon to the machine. The tickets can only be considered validated after they have been used to authenticate to a service that has decrypted the portion of the ticket encrypted in the service principal's long term key. If you are using the ticket as part of a password validation, you must have a key for a service principal and you must obtain a service ticket for that principal and validate that you can decrypt it with the service principal's long term key. Take a look at krb5_verify_init_creds() Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
