On 10/26/2012 07:27 AM, [email protected] wrote: > I can not see how the armor key is negotiated initially in the AS request.
See section 5.4.1 and in particular 5.4.1.1. > I read in the MSDN > (http://msdn.microsoft.com/en-us/library/hh536467%28v=prot.20%29.aspx) that > clients first obtain an TGT for the computer principal. This conversation is > not armored. Then they use the computer TGT for armoring the user's AS > exchange. Is this the standard behavior or a Microsoft specific > implementation? The standard is mostly agnostic about how the ticket for a FX_FAST_ARMOR_AP_REQUEST is obtained, but that's how the designers of FAST envisioned it being used. The assumption is that host keys are strong, and therefore it isn't necessary to protect an AS request using a host key from brute-force attacks. Another way to obtain a ticket for the armoring request is to use anonymous PKINIT. This is more computationally expensive, so using a TGT obtained with a host key is generally preferrable if one exists. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
