Adding the user to the local machine database is not about authentication but authorization. Once the machine has identified that I am [EMAIL PROTECTED] it needs to know whether or not there is an account into which [EMAIL PROTECTED] is allowed to access.
Jeffrey Altman Lara Adianto wrote: > Thanks, that's a very clear explanation ! > But I still can't understand why I should add the user > to the local machine as well. When the server (the > local machine) does AP-REQ processing, it doesn't need > the username right ? The server only needs to compare > the username in the authenticator and the ticket and > see if the two of them match...Correct me if i'm > wrong. > > -lara- > > --- Jeffrey Altman <[EMAIL PROTECTED]> wrote: > >>Lara Adianto wrote: >> >>>1. ksetup /setmachpassword password >>>If we don't do this, the user can't login although >> >>on >> >>>the KDC site, it seems that AS-REQ is being >> >>granted. >> >>>Why ? >>> >>>2. Why do I need to add the user in the local >> >>machine >> >>>(windows) in order for it to be able to >> >>authenticate >> >>>to MIT KDC, although actually the username (or the >>>principal in this case) is already added in the >> >>KDC ? >> >>If pre-authentication is not being used it is >>possible >>for anyone to obtain a TGT for any principal, all >>you >>must do is ask the KDC for one and it will send it. >>The TGT is encrypted in the long term key of the >>principal >>and it is assumed that only the individual that >>knows >>that long term key can decrypt it. (naive >>assumption >>which is why pre-authentication should be required.) >> >>The machine you are logging into does not know >>whether >>or not pre-authentication was used to obtain the >>TGT. >>The user who obtains the TGT must authenticate >>herself >>to the machine. This requires an AS_REQ exchange in >>order to obtain a service ticket authenticating the >>user principal to the machine. Simply obtaining the >>Service Ticket does not prove authentication. The >>machine must be able to decrypt it and perform a >>mutual authentication proof using the knowledge >>provided within. >> >>the ksetup set machine password command performs the >>windows equivalent of providing a keytab on Unix. >>It >>gives the machine access to its long term key so >>that >>it is capable of decrypting the service ticket the >>user >>will present during an authentication at login. >> >>Jeffrey Altman > > > > ===== > ------------------------------------------------------------------------------------ > La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit > - Guy de > Maupassant - > ------------------------------------------------------------------------------------ > > > > > __________________________________ > Do you Yahoo!? > Friends. Fun. Try the all-new Yahoo! Messenger. > http://messenger.yahoo.com/ > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
