directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <>
Subject Re: KDC is rejecting my TGS
Date Sun, 22 Nov 2015 02:40:03 GMT
On Fri, Nov 20, 2015 at 11:05 PM, Zheng, Kai <> wrote:

> See your snapshots. In the two AS-REQes, a diff is the kdc-option flags.
> Kerby sets the following all by default, which may be incorrect.
> In the client side file:
>     protected void processKdcOptions() {
>         // By default enforce these flags
>         kdcOptions.setFlag(KdcOption.FORWARDABLE);
>         kdcOptions.setFlag(KdcOption.PROXIABLE);
>         kdcOptions.setFlag(KdcOption.RENEWABLE_OK);

So I made these line up, I also added a flag to makeRequest to not include
the cname for TGS-REQ, removed the "from" for TGS and set until for TGS-REQ
to 0.  These changes made the TGS-REQ the same, but the same error.  Going
trough the MIT source code, the error is actually only generated by the
encoder, not the decoder.  I don't think the issue was with the TGS-REQ,
but when the KDC is generating the TGS-REP.  Looking at the AS-REQ, the
only difference I see is the kvno in the PA-ENC-TIMESTAMP.  Looking through
the code now to figure out how to include the kvno.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message