Administering the Kerberos Server
Manual Administration Using kadmin
| Require Initial Authentication Attribute |
| The Require Initial Authentication attribute specifies if the server |
| is allowed to issue service tickets to a service principal on behalf of a user |
| principal using an existing TGT. |
| The Require Initial Authentication attribute applies only to service |
| principals. If you set this attribute, user principals must reauthenticate |
| to the Kerberos server before the server issues a service ticket for that |
| service. For example, the change password service requires a principal to |
| enter a password to receive a ticket for the change password service |
| before changing the password. If you set this attribute, the server may |
| issue a service ticket based on the existing TGT of the user principal. |
| In Principal Information>Edit>Edit Administrative Permissions, |
NOTE | |
| if you select the Require Initial Authentication attribute, the Allow |
| as Service Attribute is automatically selected. |
| Do not enable this setting for user principal accounts. This attribute is |
| |
| applicable to selected service principals. |
| To modify the type of parameter attr for the principal admin and to set |
| the Require Initial Authentication attribute, type kadmin at the |
| |
| attr parameter type, and the attribute. |
| Following is a sample output of the Require Initial Authentication |
| attribute: |
| Command: mod |
| Name of Principal to Modify: admin |
| Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui |
| t) :attr |
| Attribute (or quit): {tgtnotgt} |
| Principal modified. |
| The notgt command in kadmin is equivalent to selecting the Require |
| Initial Authentication in the tgt command in kadmin is equivalent |
| to clearing the Require Initial Authentication checkbox on the |
| Principal Information window>Attributes tab. |
Chapter 8 | 219 |