Does pre-authentication help against "insider" attacks?

Viktor Dukhovni heimdal at
Fri May 26 17:44:17 CEST 2017

> On May 26, 2017, at 11:35 AM, Jeffrey Altman <jaltman at> wrote:
> Pre-authentication reduces the risk of brute force attacks against user
> principals by requiring proof that the requester knows the long term
> secret before issuing a response encrypted by that long term secret.
> Pre-authentication plays no role in preventing brute force attacks
> against encrypted service tickets.
> Once an authenticated user has obtained a service ticket from the KDC
> they are free to do with it what they will including attempts at
> brute-forcing the service's key.  That is why it is so important to
> cease using weak encryption types for service keys including cross-realm
> services.

And in particular, "service accounts" (service principals) generally have
random keys generated by cryptographically strong PRNG.  They are typically
(on Unix systems) not and should not be "password based".

Now it is true that in Active Directory various services (SPNs)
require domain a password for their domain account (there are
no "keytab" files on Windows).  It is up to the domain administrator
to configure strong random passwords for such accounts.



More information about the Heimdal-discuss mailing list