Skip to main content

2.9. Other KDC Options

There are three additional options that MAY be set in a client's request of the KDC.

2.9.1. Renewable-OK

The RENEWABLE-OK option indicates that the client will accept a renewable ticket if a ticket with the requested life cannot otherwise be provided.

Behavior

  • If a ticket with the requested life cannot be provided, then the KDC MAY issue a renewable ticket with a renew-till equal to the requested endtime
  • The value of the renew-till field MAY still be adjusted by:
    • Site-determined limits
    • Limits imposed by the individual principal or server

2.9.2. ENC-TKT-IN-SKEY

In its basic form, the Kerberos protocol supports authentication in a client-server setting and is not well suited to authentication in a peer-to-peer environment because the long-term key of the user does not remain on the workstation after initial login.

Purpose

The ENC-TKT-IN-SKEY option supports user-to-user authentication by:

  • Allowing the KDC to issue a service ticket encrypted using the session key from another TGT issued to another user
  • Is honored only by the ticket-granting service
  • Indicates that the ticket to be issued for the end server is to be encrypted in the session key from the additional second TGT provided with the request

See Section 3.3.3 for specific details.

2.9.3. Passwordless Hardware Authentication

The OPT-HARDWARE-AUTH option indicates that the client wishes to use some form of hardware authentication instead of or in addition to the client's password or other long-lived encryption key.

Behavior

  • OPT-HARDWARE-AUTH is honored only by the authentication service
  • If supported and allowed by policy, the KDC will return an error code of KDC_ERR_PREAUTH_REQUIRED
  • Will include the required METHOD-DATA to perform such authentication

Reference

For complete technical details, refer to RFC 4120 Section 2.9.

Last updated on