diff options
Diffstat (limited to 'src/kdc/fast_util.c')
-rw-r--r-- | src/kdc/fast_util.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 17b8447..310faf0 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -148,6 +148,11 @@ kdc_find_fast(krb5_kdc_req **requestptr, if (retval == 0 &&fast_armored_req->armor) { switch (fast_armored_req->armor->armor_type) { case KRB5_FAST_ARMOR_AP_REQUEST: + if (tgs_subkey) { + krb5_set_error_message( kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "Ap-request armor not permitted with TGS"); + return KRB5KDC_ERR_PREAUTH_FAILED; + } retval = armor_ap_request(state, fast_armored_req->armor); break; default: |