Re: How to get Kerberos token for proxy authentication
On Tue, 2024-06-04 at 12:31 +, [email protected] wrote: > Hi again, > > I am looking at the implementing this (getting Kerberos service > token) in C using Heimdal Kerberos library. > > In Golang using this go package https://github.com/alexbrainman/sspi > it was simply two calls as below: > > cred=negotiate.AcquireCurrentCredentials() > token = negotiate.NewClientContext(cred, spn) > > However it looks bit complex in C using MIT/Heimdal library. I am > looking at this example mentioned in the RFC here > https://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1 > > Just checking if someone has done a similar thing and I am on the > right track. Thank you. > You are comparing a full loop with just setting up the initial context. The two calls you have on those two lines are indeed equivalent to: maj = gss_acquire_cred(&min, acceptor_name, GSS_C_INDEFINITE, desired_mechs, cred_usage, creds, actual_mechs, NULL); and maj = gss_init_sec_context(min, init_cred, &init_ctx, accept_name, mech_type, GSS_C_DELEG_FLAG, req_lifetime, GSS_C_NO_CHANNEL_BINDINGS, &accept_token, NULL, &init_token, NULL, NULL); Where all those variables are set to default values. Of course this is missing all error handling, and, if you use defaults it will miss many nuances. As Ken suggested you should look at real examples, libcurl may be a way, I can also suggest this library of mine: ttps://github.com/gssapi/mod_auth_gssapi/blob/master/src/mod_auth_gssap i.c -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
> Hi again, I am looking at the implementing this (getting Kerberos >service token) in C using Heimdal Kerberos library. In Golang using >this go package https://github.com/alexbrainman/sspi it was simply two >calls as below: > >cred=negotiate.AcquireCurrentCredentials()token = >negotiate.NewClientContext(cred, spn) However it looks bit complex in C >using MIT/Heimdal library. I am looking at this example mentioned in the >RFC herehttps://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1 >Just checking if someone has done a similar thing and I am on the right >track. Thank you. I think you're comparing apples and oranges a bit there; those two calls you mention (which from my look at that Golang library really only end up as one SSPI call) are only a small part of the overall authentication flow. The code in that RFC you reference is a mostly-complete GSSAPI application which includes a full loop and interprocess communication. I'm going to repeat what I said last time: look at the libcurl source code which already does this. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
Hi again, I am looking at the implementing this (getting Kerberos service token) in C using Heimdal Kerberos library. In Golang using this go package https://github.com/alexbrainman/sspi it was simply two calls as below: cred=negotiate.AcquireCurrentCredentials()token = negotiate.NewClientContext(cred, spn) However it looks bit complex in C using MIT/Heimdal library. I am looking at this example mentioned in the RFC herehttps://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1 Just checking if someone has done a similar thing and I am on the right track. Thank you. t RFC 7546: Structure of the Generic Security Service (GSS) Negotiation Loop | | | | | | | | | | | RFC 7546: Structure of the Generic Security Service (GSS) Negotiation Loop This document specifies the generic structure of the negotiation loop to establish a Generic Security Service (G... | | | On Sunday, 24 March 2024 at 19:44:01 GMT, m_a_n_j_u_s_k--- via Kerberos wrote: Thank you. Yes, as suggested here, I am looking into using ether MIT or Heimdal Kerberos implementation. On Friday, 22 March 2024 at 10:05:38 GMT, Simo Sorce wrote: On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote: > On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote: > > > Thanks again Ken. My application is written in Go. So I'm looking > > > for Kerberos implementation that can be easily integrated with my > > > application. Hence I was considering MIT Kerberos and using C bindings > > > to call those APIs from my Go code. "MacOS X it might be easier to use > > > the native GSSAPI implementation which would be Heimdal" > > > > > > Here did you mean developer.apple.com/documentation/gss ? Isn't that in > > > Swift ? I will explore libcurl code thank-you. > > > > I can't speak for the Swift API, but Heimdal on MacOS X also provides a > > standard C API for the GSSAPI functions. I don't have much experience > > with Go but if you can call C functions from within it (and I have to > > believe that is possible) then doing so for Heimdal should be fine. > > There might be a few differences in term of what GSSAPI extension > > functions are available but from what you describe you should only need > > the standard GSSAPI functions. > > Are you familiar with https://github.com/jcmturner/gokrb5? I've used it > in the past with some experiments in some Go code I was working on, I > wasn't touching GSSAPI but there's at least some GSSAPI code in there. > Might be worth checking out as it's native Go code, no cgo wrapping. > Last time I checked that code was kept together with spit and tape, and was far from what I would consider usable in production for general use. It implements the minimum set of code needed for the specific use case and specific file credential of the person that built it, and will fall apart as soon as you do anything funny. There is also no guarantee it is secure. As much as I understand the desire of new languages to have "native code" I strongly suggest to avoid the urge in this case. Both Heimdal and MIT Kerberos have decades of development behind them, not something you reproduce in a "summer of coding". HTH, Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
Thank you. Yes, as suggested here, I am looking into using ether MIT or Heimdal Kerberos implementation. On Friday, 22 March 2024 at 10:05:38 GMT, Simo Sorce wrote: On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote: > On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote: > > > Thanks again Ken. My application is written in Go. So I'm looking > > > for Kerberos implementation that can be easily integrated with my > > > application. Hence I was considering MIT Kerberos and using C bindings > > > to call those APIs from my Go code. "MacOS X it might be easier to use > > > the native GSSAPI implementation which would be Heimdal" > > > > > > Here did you mean developer.apple.com/documentation/gss ? Isn't that in > > > Swift ? I will explore libcurl code thank-you. > > > > I can't speak for the Swift API, but Heimdal on MacOS X also provides a > > standard C API for the GSSAPI functions. I don't have much experience > > with Go but if you can call C functions from within it (and I have to > > believe that is possible) then doing so for Heimdal should be fine. > > There might be a few differences in term of what GSSAPI extension > > functions are available but from what you describe you should only need > > the standard GSSAPI functions. > > Are you familiar with https://github.com/jcmturner/gokrb5? I've used it > in the past with some experiments in some Go code I was working on, I > wasn't touching GSSAPI but there's at least some GSSAPI code in there. > Might be worth checking out as it's native Go code, no cgo wrapping. > Last time I checked that code was kept together with spit and tape, and was far from what I would consider usable in production for general use. It implements the minimum set of code needed for the specific use case and specific file credential of the person that built it, and will fall apart as soon as you do anything funny. There is also no guarantee it is secure. As much as I understand the desire of new languages to have "native code" I strongly suggest to avoid the urge in this case. Both Heimdal and MIT Kerberos have decades of development behind them, not something you reproduce in a "summer of coding". HTH, Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos token
Thanks Ken, I'm getting the token every time I communicate with the proxy. I was wondering if the token could be reused so that I could optimize code. Thanks for the clarification . Yahoo Mail: Search, organise, conquer On Fri, 22 Mar 2024 at 7:27 pm, Ken Hornstein wrote: >Hi, I have an application that authenticates against a Proxy server >which user Kerberos authentication scheme. My application is using SSPI >library (github/alexbrainman/sspi Golang package to be exact) generate >a kerberos token and this token is passed to the Proxy server through >Proxy-Authorization header "Proxy-Authorization: Negotiate token>" My query, for the subsequent calls to the proxy do I need to >regenerate this key or can I reuse the one generated the first time ? >Or is it that each call to the proxy is treated as a session and that >Kerberos token is for that session only ? As a general rule, GSSAPI tokens (which in the specific case of Kerberos contain AP-REQ/AP-REP messages) are supposed to be only used once; they contain an expiration time in them and are supposed to be checked for reuse on the server side (although that may not always happen depending on implementation details). You should always get a new one by calling the appropriate APIs. Note that assuming your client is using a standard ticket cache only the first request will require contacting the KDC. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos token
>Hi, I have an application that authenticates against a Proxy server >which user Kerberos authentication scheme. My application is using SSPI >library (github/alexbrainman/sspi Golang package to be exact) generate >a kerberos token and this token is passed to the Proxy server through >Proxy-Authorization header "Proxy-Authorization: Negotiate token>" My query, for the subsequent calls to the proxy do I need to >regenerate this key or can I reuse the one generated the first time ? >Or is it that each call to the proxy is treated as a session and that >Kerberos token is for that session only ? As a general rule, GSSAPI tokens (which in the specific case of Kerberos contain AP-REQ/AP-REP messages) are supposed to be only used once; they contain an expiration time in them and are supposed to be checked for reuse on the server side (although that may not always happen depending on implementation details). You should always get a new one by calling the appropriate APIs. Note that assuming your client is using a standard ticket cache only the first request will require contacting the KDC. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos token
Hi, I have an application that authenticates against a Proxy server which user Kerberos authentication scheme. My application is using SSPI library (github/alexbrainman/sspi Golang package to be exact) generate a kerberos token and this token is passed to the Proxy server through Proxy-Authorization header "Proxy-Authorization: Negotiate " My query, for the subsequent calls to the proxy do I need to regenerate this key or can I reuse the one generated the first time ? Or is it that each call to the proxy is treated as a session and that Kerberos token is for that session only ? Thanks for any info. Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote: > On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote: > > > Thanks again Ken. My application is written in Go. So I'm looking > > > for Kerberos implementation that can be easily integrated with my > > > application. Hence I was considering MIT Kerberos and using C bindings > > > to call those APIs from my Go code. "MacOS X it might be easier to use > > > the native GSSAPI implementation which would be Heimdal" > > > > > > Here did you mean developer.apple.com/documentation/gss ? Isn't that in > > > Swift ? I will explore libcurl code thank-you. > > > > I can't speak for the Swift API, but Heimdal on MacOS X also provides a > > standard C API for the GSSAPI functions. I don't have much experience > > with Go but if you can call C functions from within it (and I have to > > believe that is possible) then doing so for Heimdal should be fine. > > There might be a few differences in term of what GSSAPI extension > > functions are available but from what you describe you should only need > > the standard GSSAPI functions. > > Are you familiar with https://github.com/jcmturner/gokrb5? I've used it > in the past with some experiments in some Go code I was working on, I > wasn't touching GSSAPI but there's at least some GSSAPI code in there. > Might be worth checking out as it's native Go code, no cgo wrapping. > Last time I checked that code was kept together with spit and tape, and was far from what I would consider usable in production for general use. It implements the minimum set of code needed for the specific use case and specific file credential of the person that built it, and will fall apart as soon as you do anything funny. There is also no guarantee it is secure. As much as I understand the desire of new languages to have "native code" I strongly suggest to avoid the urge in this case. Both Heimdal and MIT Kerberos have decades of development behind them, not something you reproduce in a "summer of coding". HTH, Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
>Are you familiar with https://github.com/jcmturner/gokrb5? I've used it >in the past with some experiments in some Go code I was working on, I >wasn't touching GSSAPI but there's at least some GSSAPI code in there. >Might be worth checking out as it's native Go code, no cgo wrapping. I would caution you that if you are targeting MacOS X as a platform, one of the most important things is integration with the native credential cache format (especially if you are assuming your credentials are being acquired as part of the single signon process). On MacOS X the default credential cache uses a RPC mechanism to talk to a daemon process (and that has actually changed to a DIFFERENT RPC service in more recent versions of MacOS X). My brief look at gokrb5 suggests that it only supports the FILE credential cache type. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote: > >Thanks again Ken. My application is written in Go. So I'm looking > >for Kerberos implementation that can be easily integrated with my > >application. Hence I was considering MIT Kerberos and using C bindings > >to call those APIs from my Go code. "MacOS X it might be easier to use > >the native GSSAPI implementation which would be Heimdal" > > > >Here did you mean developer.apple.com/documentation/gss ? Isn't that in > >Swift ? I will explore libcurl code thank-you. > > I can't speak for the Swift API, but Heimdal on MacOS X also provides a > standard C API for the GSSAPI functions. I don't have much experience > with Go but if you can call C functions from within it (and I have to > believe that is possible) then doing so for Heimdal should be fine. > There might be a few differences in term of what GSSAPI extension > functions are available but from what you describe you should only need > the standard GSSAPI functions. Are you familiar with https://github.com/jcmturner/gokrb5? I've used it in the past with some experiments in some Go code I was working on, I wasn't touching GSSAPI but there's at least some GSSAPI code in there. Might be worth checking out as it's native Go code, no cgo wrapping. -- Thomas L. Kula | [email protected] | https://kula.tproa.net/ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
>Thanks again Ken. My application is written in Go. So I'm looking >for Kerberos implementation that can be easily integrated with my >application. Hence I was considering MIT Kerberos and using C bindings >to call those APIs from my Go code. "MacOS X it might be easier to use >the native GSSAPI implementation which would be Heimdal" > >Here did you mean developer.apple.com/documentation/gss ? Isn't that in >Swift ? I will explore libcurl code thank-you. I can't speak for the Swift API, but Heimdal on MacOS X also provides a standard C API for the GSSAPI functions. I don't have much experience with Go but if you can call C functions from within it (and I have to believe that is possible) then doing so for Heimdal should be fine. There might be a few differences in term of what GSSAPI extension functions are available but from what you describe you should only need the standard GSSAPI functions. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
Thanks again Ken. My application is written in Go. So I'm looking for Kerberos implementation that can be easily integrated with my application. Hence I was considering MIT Kerberos and using C bindings to call those APIs from my Go code. "MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal" Here did you mean developer.apple.com/documentation/gss ? Isn't that in Swift ? I will explore libcurl code thank-you. Yahoo Mail: Search, organise, conquer On Wed, 20 Mar 2024 at 1:24 am, Ken Hornstein wrote: >Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS >platforms. I was wondering if I can use MIT Kerberos GSSAPI for the >same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would >look exactly like you mentioned. Thank-you. You should be able to use the MIT Kerberos GSSAPI implementation fine for this (but I think either MIT Kerberos or Heimdal would work; on MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal). My understanding is that libcurl can link against either Heimdal or MIT Kerberos, but you should probably investigate that yourself. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
>Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS >platforms. I was wondering if I can use MIT Kerberos GSSAPI for the >same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would >look exactly like you mentioned. Thank-you. You should be able to use the MIT Kerberos GSSAPI implementation fine for this (but I think either MIT Kerberos or Heimdal would work; on MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal). My understanding is that libcurl can link against either Heimdal or MIT Kerberos, but you should probably investigate that yourself. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS platforms. I was wondering if I can use MIT Kerberos GSSAPI for the same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would look exactly like you mentioned. Thank-you. Yahoo Mail: Search, organise, conquer On Mon, 18 Mar 2024 at 12:11 am, Ken Hornstein wrote: >Hi, I have a requirement to authenticate my application >(Golang) against a proxy server which requires Kerberos >authentication. I have achieved this on Windows using >github/alexbrainman/sspi Golang package.From that package I >basically call negotiate.AcquireCurrentUserCredentials() and >negotiate.NewClientContext() to get the client token which gets passed >to the proxy server in Proxy-Authorization header. I want to achieve >the same on macOS and looking for suitable libraries. Can I use MIT >Kerberos library for this purpose ?what are the APIs equivalent to get >client token without prompting the user for password ? The user would >have acquired Kerberos ticket on sign-in as a domain user. I believe you would want to use the GSSAPI for this. If your header looks like: Proxy-Authorization: Negotiate Then definitely you want to use that. You could use libcurl as example code if you wanted to see what this would look like. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How to get Kerberos token for proxy authentication
>Hi, I have a requirement to authenticate my application >(Golang) against a proxy server which requires Kerberos >authentication. I have achieved this on Windows using >github/alexbrainman/sspi Golang package.From that package I >basically call negotiate.AcquireCurrentUserCredentials() and >negotiate.NewClientContext() to get the client token which gets passed >to the proxy server in Proxy-Authorization header. I want to achieve >the same on macOS and looking for suitable libraries. Can I use MIT >Kerberos library for this purpose ?what are the APIs equivalent to get >client token without prompting the user for password ? The user would >have acquired Kerberos ticket on sign-in as a domain user. I believe you would want to use the GSSAPI for this. If your header looks like: Proxy-Authorization: Negotiate Then definitely you want to use that. You could use libcurl as example code if you wanted to see what this would look like. --Ken Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
How to get Kerberos token for proxy authentication
Hi, I have a requirement to authenticate my application (Golang) against a proxy server which requires Kerberos authentication. I have achieved this on Windows using github/alexbrainman/sspi Golang package.From that package I basically call negotiate.AcquireCurrentUserCredentials() and negotiate.NewClientContext() to get the client token which gets passed to the proxy server in Proxy-Authorization header. I want to achieve the same on macOS and looking for suitable libraries. Can I use MIT Kerberos library for this purpose ?what are the APIs equivalent to get client token without prompting the user for password ? The user would have acquired Kerberos ticket on sign-in as a domain user. Appreciate any inputs on this. Thank you. -mk Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Help Needed for Kerberos token retrieval using GSS API
Hello Sir, I am not sure whether this is correct forum or not but.. Can you please let me know that how can I write JDK 1.6 program to retrieve Kerberos token of the logged in user? I am very new to this technology. After reading few articles I am not able to understand, how I can do it at my machine(stand alone Windows XP machine). Your inputs can help me a lot. Regards, Aditya Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Impact of "MS AD Kerberos token size" change
saggar wrote: > On Apr 29, 4:43 pm, JC Ferguson wrote: >> I have found the change not necessary in the MIT library. I've seen tokens >> as large as 24k from MS AD domain controllers. >> >> -jc >> >> - Original Message - >> From: [email protected] >> To: [email protected] ; [email protected] >> Sent: Thu Apr 29 07:30:52 2010 >> Subject: Impact of "MS AD Kerberos token size" change >> >> Is MIT kerberos implementation dependent on Microsoft AD Kerberos Token Size >> ? If a user changes the default size from 12K to 64K . does it needs a >> change in kerberos also ? >> >> -- >> Regards >> Sunil Saggar >> ___ >> krbdev mailing list >> [email protected]://mailman.mit.edu/mailman/listinfo/krbdev > > I would like to understand how this token is used and how MIT library > is not dependent on it. Will appreciate code_pointers/documentation. > Google for: Microsoft kerberos PAC The PAC has UUIDs and GUIDs for the user, and is used in a domain for authorization. A normal kerberos ticket might be less the 500 bytes. The other 23.5k of the ticket is the PAC. > -S > > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Impact of "MS AD Kerberos token size" change
On Apr 29, 4:43 pm, JC Ferguson wrote: > I have found the change not necessary in the MIT library. I've seen tokens > as large as 24k from MS AD domain controllers. > > -jc > > - Original Message - > From: [email protected] > To: [email protected] ; [email protected] > Sent: Thu Apr 29 07:30:52 2010 > Subject: Impact of "MS AD Kerberos token size" change > > Is MIT kerberos implementation dependent on Microsoft AD Kerberos Token Size > ? If a user changes the default size from 12K to 64K . does it needs a > change in kerberos also ? > > -- > Regards > Sunil Saggar > ___ > krbdev mailing list > [email protected]://mailman.mit.edu/mailman/listinfo/krbdev I would like to understand how this token is used and how MIT library is not dependent on it. Will appreciate code_pointers/documentation. -S Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Impact of "MS AD Kerberos token size" change
Thanks JC I would like to understand the impact of kerberos token size and how MIT library is not impacted by it. will appreciate any code_pointers/documentation. -S On Thu, Apr 29, 2010 at 5:13 PM, JC Ferguson wrote: > I have found the change not necessary in the MIT library. I've seen tokens > as large as 24k from MS AD domain controllers. > > -jc > > > > - Original Message - > From: [email protected] > To: [email protected] ; [email protected] > Sent: Thu Apr 29 07:30:52 2010 > Subject: Impact of "MS AD Kerberos token size" change > > Is MIT kerberos implementation dependent on Microsoft AD Kerberos Token > Size > ? If a user changes the default size from 12K to 64K . does it needs a > change in kerberos also ? > > -- > Regards > Sunil Saggar > ___ > krbdev mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/krbdev > -- Regards Sunil Saggar Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Impact of "MS AD Kerberos token size" change
I have found the change not necessary in the MIT library. I've seen tokens as large as 24k from MS AD domain controllers. -jc - Original Message - From: [email protected] To: [email protected] ; [email protected] Sent: Thu Apr 29 07:30:52 2010 Subject: Impact of "MS AD Kerberos token size" change Is MIT kerberos implementation dependent on Microsoft AD Kerberos Token Size ? If a user changes the default size from 12K to 64K . does it needs a change in kerberos also ? -- Regards Sunil Saggar ___ krbdev mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/krbdev Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
Impact of "MS AD Kerberos token size" change
Is MIT kerberos implementation dependent on Microsoft AD Kerberos Token Size ? If a user changes the default size from 12K to 64K . does it needs a change in kerberos also ? -- Regards Sunil Saggar Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
