Subject: | Preauth tryagain should copy KDC cookie |
RFC 6113 requires that "The client MUST copy the exact cookie
encapsulated in a PA-FX-COOKIE data element into the next message of the
same conversation." When we try again after a mechanism-specific error
(which in practice means a PKINIT error), we do not copy the KDC cookie.
We should fix this for better performance, but we do not need to
backport the fix as PKINIT does not require the use of cookies.
encapsulated in a PA-FX-COOKIE data element into the next message of the
same conversation." When we try again after a mechanism-specific error
(which in practice means a PKINIT error), we do not copy the KDC cookie.
We should fix this for better performance, but we do not need to
backport the fix as PKINIT does not require the use of cookies.