On Fri, Nov 20, 2015 at 11:05 PM, Zheng, Kai <[email protected]> wrote:
> See your snapshots. In the two AS-REQes, a diff is the kdc-option flags.
> Kerby sets the following all by default, which may be incorrect.
> In the client side KdcRequest.java file:
> protected void processKdcOptions() {
> // By default enforce these flags
> kdcOptions.setFlag(KdcOption.FORWARDABLE);
> kdcOptions.setFlag(KdcOption.PROXIABLE);
> kdcOptions.setFlag(KdcOption.RENEWABLE_OK);
>
So I made these line up, I also added a flag to makeRequest to not include
the cname for TGS-REQ, removed the "from" for TGS and set until for TGS-REQ
to 0. These changes made the TGS-REQ the same, but the same error. Going
trough the MIT source code, the error is actually only generated by the
encoder, not the decoder. I don't think the issue was with the TGS-REQ,
but when the KDC is generating the TGS-REP. Looking at the AS-REQ, the
only difference I see is the kvno in the PA-ENC-TIMESTAMP. Looking through
the code now to figure out how to include the kvno.
Thanks
Marc
