There is a requirement that preauth'ed service accounts (which IIS would have) only accept preauthed tickets.
* Speedo <[EMAIL PROTECTED]> [2008-02-19 10:32]: > Sorry to post into 2 groups. > > I have a Java application using Kerberos to talk to IIS on a Windows > domain. First I call java's kinit and then use the acquired initial > TGT to connect to IIS with JGSS. When the initial ticket is pre- > authed, I can get the web content. However, if I set the user account > as "do not require preauth" and acquire such an un-preauth-ed initial > TGT, and then get a service ticket for IIS using this TGT, it seems > this ticket cannot be used to retrieve pages from IIS (using SPNEGO). > Is this a designed feature? > > Thanks > Speedo > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- John Washington Security Officer, University of Illinois Urbana-Champaign
signature.asc
Description: Digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
