IIS refuse un-preauth-ed tickets? - Kerberos

This is a discussion on IIS refuse un-preauth-ed tickets? - Kerberos ; Sorry to post into 2 groups. I have a Java application using Kerberos to talk to IIS on a Windows domain. First I call java's kinit and then use the acquired initial TGT to connect to IIS with JGSS. When ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: IIS refuse un-preauth-ed tickets?

  1. IIS refuse un-preauth-ed tickets?

    Sorry to post into 2 groups.

    I have a Java application using Kerberos to talk to IIS on a Windows
    domain. First I call java's kinit and then use the acquired initial
    TGT to connect to IIS with JGSS. When the initial ticket is pre-
    authed, I can get the web content. However, if I set the user account
    as "do not require preauth" and acquire such an un-preauth-ed initial
    TGT, and then get a service ticket for IIS using this TGT, it seems
    this ticket cannot be used to retrieve pages from IIS (using SPNEGO).
    Is this a designed feature?

    Thanks
    Speedo

  2. Re: IIS refuse un-preauth-ed tickets?

    There is a requirement that preauth'ed service accounts (which IIS would
    have) only accept preauthed tickets.

    * Speedo [2008-02-19 10:32]:
    > Sorry to post into 2 groups.
    >
    > I have a Java application using Kerberos to talk to IIS on a Windows
    > domain. First I call java's kinit and then use the acquired initial
    > TGT to connect to IIS with JGSS. When the initial ticket is pre-
    > authed, I can get the web content. However, if I set the user account
    > as "do not require preauth" and acquire such an un-preauth-ed initial
    > TGT, and then get a service ticket for IIS using this TGT, it seems
    > this ticket cannot be used to retrieve pages from IIS (using SPNEGO).
    > Is this a designed feature?
    >
    > Thanks
    > Speedo
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos


    --
    John Washington Security Officer,
    University of Illinois Urbana-Champaign

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHuw2vHn2eIhmhvSIRAqk9AKCDtnksHCc/LniufkGrkDT8ub1gvACfb0cy
    XxKx/PogzS9jmTFtgxv2VRE=
    =0yez
    -----END PGP SIGNATURE-----


+ Reply to Thread