Administration

Manual Administration Using kadmin

To modify the parameter type attr of the principal admin, to set the

Allow as Service Attribute, you need to do the following:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno or quit) :attr

Attribute (or quit): {svrnosvr}

Principal modified.

Require Initial Authentication Attribute

The Require Initial Authentication attribute specifies whether the server is allowed to issue service tickets to a service principal on behalf of a user principal using an existing TGT.

The Require Initial Authentication attribute applies only to service principals,

If this attribute is set, user principals must re-authenticate to the security server before the server issues a service ticket for that service. For example, the change password service requires a principal to enter a password to receive a ticket for the change password service before the password can be changed.

If this attribute is not set, the server may issue a service ticket based on the user principal’s existing TGT.

NOTE

In Administrator, when the Require Initial Authentication

 

attribute is selected, the Allow as Service Attribute is automatically

 

selected.

 

Do not enable this setting for user principal accounts. This attribute is

 

 

applicable to selected service principals.

 

To modify the parameter type attr of the principal admin, to set the

 

Require Initial Authentication Attribute, you need to do the

 

following:

 

Command: mod

 

Name of Principal to Modify: admin

 

Parameter Type to be Modified (attr,fcnt,vno or quit) :attr

 

Attribute (or quit): {tgtnotgt}

 

Principal modified.

184

Chapter 6