On 02/24/2014 02:17 PM, Ben H wrote: > I would like to know if there are any known limitations in modern kerb > implementations that would cause failures of TGT tickets to be issued if > the same principal was requesting them simultaneously.
Not that I'm aware of. > If no - why not? What is the data structure being used to prevent this? The Kerberos authentication protocol does not require a replay cache. In fact, since Kerberos requests may be retransmitted over UDP, a KDC must be willing to respond to the same request twice. In the MIT KDC, we do use a lookaside cache so that we usually respond to identical requests with identical replies, but that isn't really necessary and shouldn't cause any authentication failures. Aside from that, simultaneous AS requests will usually be different because they contain a random 32-bit nonce. Preauthenticated requests will also be different because of the confounder in the encrypted timestamp (or similar protocol elements for other preauth mechanisms). ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
