Re: AW: Proof of authenticity of TGT - Kerberos

This is a discussion on Re: AW: Proof of authenticity of TGT - Kerberos ; On Aug 23, 2006, at 3:43, Olfmatic wrote: > I understand your warnings. But it is not possible to add the > service to the realm, because it is running on a host that is not > in the same ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: AW: Proof of authenticity of TGT

  1. Re: AW: Proof of authenticity of TGT

    On Aug 23, 2006, at 3:43, Olfmatic wrote:
    > I understand your warnings. But it is not possible to add the
    > service to the realm, because it is running on a host that is not
    > in the same windows domain and not in the same kerberos realm. To
    > be more precise, it is not running in a kerberos realm at all and
    > thus is not really a kerberos service.


    If you already have the ability to modify the application client and
    server code to send and verify the TGT, then the only thing
    preventing you from doing the same with a normal service ticket would
    be your KDC. In which case, you're not talking about the MIT KDC,
    and then I can't help you with getting the TGT key out.

    But I'd be really surprised if a Windows KDC couldn't be convinced to
    add an arbitrary service principal somehow. (But since I don't play
    around with Windows KDCs much, I couldn't tell you how to do it
    without doing all the same Google searches that you'd expect to have
    to do.)

    Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: AW: Proof of authenticity of TGT

    Ken Raeburn wrote:

    > But I'd be really surprised if a Windows KDC couldn't be convinced to
    > add an arbitrary service principal somehow. (But since I don't play
    > around with Windows KDCs much, I couldn't tell you how to do it
    > without doing all the same Google searches that you'd expect to have
    > to do.)


    (1) Add an account

    (2) Use "SETSPN" to set a service principal name on the account

    (3) Use "KTPASS" to set the enctype preferences, generate a
    strong random password, and generate a keytab file

    Jeffrey Altman

  3. Re: AW: Proof of authenticity of TGT



    Ken Raeburn wrote:

    > On Aug 23, 2006, at 3:43, Olfmatic wrote:
    >
    >>I understand your warnings. But it is not possible to add the
    >>service to the realm, because it is running on a host that is not
    >>in the same windows domain and not in the same kerberos realm.


    Not true at least for Unix hosts. A service is "in a realm"
    be virtue of possessing the key of a service principal registered
    in the realm. The same service could accept tickets issued by
    multiple independent realms, if it had entries in its keytab
    for the principals.

    Now if the service is running on window, and you are using the Windows
    Kerberos it might not be true, because windows does more then Kerberos
    authentication.

    > To
    >>be more precise, it is not running in a kerberos realm at all and
    >>thus is not really a kerberos service.


    Then why are you trying to use Kerberos?

    >
    >
    > Ken
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread