>It occurs to me that the current clock skew correction code (when >things are set up so it works) only works on the client side; your >application server still needs to have a correct clock. So that would >probably mean the "server" in U2U would need to have a correct clock >(the "server" in this case is the guy who does NOT talk to the KDC).
Of course I _THEN_ realize that since the "server" in this case has obviously talked to the KDC, he'll have clock skew correction information available. Sigh. I'm not completely sure that the side that processes AP_REQs handles that correctly (has that ever been tested?), but it will be interesting to find out. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
