2. Ticket Flag Uses and Requests
Each Kerberos ticket contains a set of flags that are used to indicate attributes of that ticket. Most flags may be requested by a client when the ticket is obtained; some are automatically turned on and off by a Kerberos server as required. The following sections explain what the various flags mean and give examples of reasons to use them.
General Requirements
- With the exception of the INVALID flag, clients MUST ignore ticket flags that are not recognized
- KDCs MUST ignore KDC options that are not recognized
- Some implementations of RFC 1510 are known to reject unknown KDC options
- Clients may need to resend a request without new KDC options if the request was rejected
- Clients MUST confirm that the ticket returned by the KDC meets their needs
Design Considerations
Note that it is not, in general, possible to determine whether an option was not honored because it was not understood or because it was rejected through either configuration or policy. When adding a new option to the Kerberos protocol, designers should consider whether the distinction is important for their option. If it is, a mechanism for the KDC to return an indication that the option was understood but rejected needs to be provided in the specification of the option.