On Mon, Dec 22, 2008 at 01:11:50PM -0500, Tom Yu wrote: > Has anyone experienced problems due to false positive conditions on an > application replay cache? [...]
Yes, this happens with Windows clients, where the Kerberos stack may re-use a seconds and microseconds value, if multiple AP-REQs are initiated in the same second, but with a different sub-session key. > If it turns out that almost all of the problems are due to the KDC > replay cache, we can consider turning off the KDC replay cache, as we > believe that doing so poses negligible security consequences, and is > substantially easier. The KDC replay cache is not an issue, although the replay cache for TGS-REQs needs to behave similarly to the AP-REQ replay cache. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
