On 01/16/2014 05:04 PM, venkyA wrote: > The user's TGT that goes in the pa-tgs-req along with authenticator contains > the subkey. > This subkey & the session key from the user's tgt is used to get the armor > key.
Yes and yes. > This armor key is then used to encrypt the authenticator which is already > encrypted by the session key? No. Look at the definition of KrbFastArmoredReq in RFC 6113. It contains a checksum of the AP-REQ in the armor key and an encrypted KrbFastReq. The KrbFastReq contains options, padata, and the inner request body. The padata within the KrbFastReq does not include the PA-TGS-REQ. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
