-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
7
-
None
-
generic
-
generic
After AS-REQ, if a KRB-ERROR of PREAUTH-REQUIRED includes a PA-ETYPE-INFO(2) demanding a new salt used, the PrincipalName.setSalt() is called. In the current impl, it seems the method is called twice, once inside Credentials.acquireTGT(), once inside KrbAsReq's constructor (which is called in acquireTGT()). This is a dup.
Will also study if the salt field should be embedded inside PrincipalName, or it's only useful during the AS-REQ process. Is it useful/correct to cache it inside PrincipalName? If another initial TGT is needed, the current impl send a plain-vanilla AS-REQ without any preauth info, and the KDC would send PREAUTH-REQUIRED again including the new salt info, hence there's no need to cache it. And, is it possible that the KDC changes the salt in the second response? Probably not unless the user's password is reset.
Will also study if the salt field should be embedded inside PrincipalName, or it's only useful during the AS-REQ process. Is it useful/correct to cache it inside PrincipalName? If another initial TGT is needed, the current impl send a plain-vanilla AS-REQ without any preauth info, and the KDC would send PREAUTH-REQUIRED again including the new salt info, hence there's no need to cache it. And, is it possible that the KDC changes the salt in the second response? Probably not unless the user's password is reset.
- duplicates
-
JDK-6960894 Better AS-REQ creation and processing
-
- Closed
-