Hello,
I apologize if this is not the correct forum to ask this.
I am a systems administrator with BlackRock, and I was hoping you could help me
by clarifying the required KDC behavior per RFC 4120.
I am running into a problem getting a Java client to authenticate with a server
2008 KDC and need this clarification to resolve this issue.
This is the scenario:
- Java client supports AES, DES and RC4-HMAC encryption
- Server 2008 KDC supports RC4-HMAC4 encryption only. It does not support
AES. (The operating system code does support AES, but this functionality is
only available when there are no older operating systems such as server 2003
acting as domain controllers in the environment)
Question:
If the Java client makes an AS-REQ WITHOUT including pre-authentication
information, the KDC needs to reply with KDC_ERR_PREAUTH_REQUIRED. Should it
list AES in the PA-ETYPE-INFO2 because section 3.1.3 says:
When the AS server is to include pre-authentication data in a
KRB-ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-
INFO, if the etype field of the client's AS-REQ lists at least one
"newer" encryption type.
Or should the KDC NOT include AES in the reply because section 3.1.3 also says:
If pre-authentication is
required, but was not present in the request, an error message with
the code KDC_ERR_PREAUTH_REQUIRED is returned, and a METHOD-DATA
object will be stored in the e-data field of the KRB-ERROR message to
specify which pre-authentication mechanisms are acceptable. Usually
this will include PA-ETYPE-INFO and/or PA-ETYPE-INFO2 elements as
described below.
Thank you and in anticipation of your reply,
-Ravi
THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND MAY BE
PRIVILEGED. If this message was misdirected, BlackRock, Inc. and its
subsidiaries, ("BlackRock") does not waive any confidentiality or privilege.
If you are not the intended recipient, please notify us immediately and destroy
the message without disclosing its contents to anyone. Any distribution, use
or copying of this e-mail or the information it contains by other than an
intended recipient is unauthorized. The views and opinions expressed in this
e-mail message are the author's own and may not reflect the views and opinions
of BlackRock, unless the author is authorized by BlackRock to express such
views or opinions on its behalf. All email sent to or from this address is
subject to electronic storage and review by BlackRock. Although BlackRock
operates anti-virus programs, it does not accept responsibility for any damage
whatsoever caused by viruses being passed.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
