Administration
Manual Administration Using kadmin
Allow Duplicate Session Key Attribute
The Allow Duplicate Session Key attribute determines whether a principal is allowed to use a duplicate session key. A duplicate session key, applies to
This setting controls the security protocol between an initiator, typically a client application, and acceptor, typically a service. When a user performs an action that causes the initiator application to request for a duplicate session key:
•the initiator application sends two TGTs, the initiator’s and the acceptor’s, as a request to the TGS
•the service ticket returned to the initiator application is encrypted with the acceptor’s secret key, provided this attribute is not set
This attribute is set by default, thereby allowing an initiator application to request for a duplicate session key for the acceptor’s application. Principal accounts using duplicate session keys must be assigned the Allow as Service Attribute.
To modify the parameter type attr for the principal admin, to set the Allow Duplicate Session Key Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {dskeynodskey}
Principal modified.
Require Preauthentication Attribute
The Require Preauthentication attribute determines whether a principal is required to preauthenticate when requesting for a TGT. Preauthentication implies that the client logon program attaches known encrypted data to a ticket request, providing additional security when the TGT is presented to gain access to a secured service.
The Require Preauthentication attribute applies to user and service principals. If this attribute is set for a,
•User principal, the user must run logon software that performs authentication using the preauthentication protocol
Chapter 6 | 181 |