[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: preauth_always option?
On Wed, 28 May 2008 17:15:13 -0700
"Henry B. Hotz" <firstname.lastname@example.org> wrote:
> On May 28, 2008, at 1:15 PM, Michael B Allen wrote:
> > Hi,
> > It seems Windows records a "preauthentication failed" event log error
> > when the AS-REQ doesn't include pre-authentication data. This is a
> > benign
> > error of course but it confuses people and is generally annoying. My
> > understanding is that preauthentication is pretty much required by
> > everyone this point no?
> > Does anyone have a patch to make get_in_tkt.c always send
> > preauthentication data?
> > For example, the following could indicate that the client should
> > always
> > send KRB5_PADATA_ENC_TIMESTAMP preauthentication data:
> > [libdefaults]
> > preauth_always = 2
> > If not I'll make one and post it but I was hoping someone else had
> > done
> > this already.
> > Mike
> I'd like an option like that, no question.
> We should at least consider how MIT does it though. If you use
> krb5_get_init_creds_opt_set_preauth_list() to set the client-allowed
> preauth types, then MIT will preemptively use one of them in the
> initial AS_REQ. Heimdal "supports" the API, but ignores the list for
> the initial AS-REQ.
> If we do something other than support the "standard" API, then I'd
> suggest an option like
> default_initial_preauth_type = timestamp
> The current default for that parameter, of course, is "none". I'm
> assuming that the client is well-behaved when faced with a server that
> e.g. requires PKINIT or SAM2 instead of timestamp preauth. It should
> still retry with a supported preauth type if the first try isn't
> acceptable, and it *can* talk one of the desired preauth types.
Good points. I'll try to copy the MIT code.
Michael B Allen
PHP Active Directory SPNEGO SSO