No announcement yet.

"Kerberos-enabled" application require re-entering of domain password?

  • Filter
  • Time
  • Show
Clear All
new posts

  • "Kerberos-enabled" application require re-entering of domain password?

    Kerberos Beauty
    I read and found that many advantages of Kerberos include not requiring user to re-enter the domain login credentials, as long as the TGT has not expired.

    After a windows user has successfully authenticated to AD via Kerberos protocol , this user will be granted a ticket-granting-ticket(TGT) and stored in user's cache.

    Next, when this user launch a FAT-client "Kerberos-enabled" application, Kerberos should send previously issued TGT in user's cache to TGS in KDC to request for a service-ticket(ST) to access this application.
    This means that the user need NOT enter domain userid/password again in order to successfully launch this application.
    Same process should happen for other "Kerberos-enabled" applications.

    However, i came across this "Kerberos-enabled" application that still require user to enter domain login credentials even after they had login to Windows domain earlier.

    I am confused.
    Is my understanding(no need to re-enter login credentials?) of Kerberos correct?
    Or is this particular "Kerberos-enabled" application a fake???

    In addition, the other Kerberos beauty is such that the domain password entered by user is NOT sent across the network.
    Only the "Security Principal" is sent across.
    Is my understanding correct too?

    Please help