Administering the Kerberos Server
Manual Administration Using kadmin
Chapter 8 219
Require Initial Authentication Attribute
The Require Initial Authentication attribute speciļ¬es if the server
is allowed to issue service tickets to a service principal on behalf of a user
principal using an existing TGT.
The Require Initial Authentication attribute applies only to service
principals. If you set this attribute, user principals must reauthenticate
to the Kerberos server before the server issues a service ticket for that
service. For example, the change password service requires a principal to
enter a password to receive a ticket for the change password service
before changing the password. If you set this attribute, the server may
issue a service ticket based on the existing TGT of the user principal.
NOTE In Principal Information>Edit>Edit Administrative Permissions,
if you select the Require Initial Authentication attribute, the Allow
as Service Attribute is automatically selected.
Do not enable this setting for user principal accounts. This attribute is
applicable to selected service principals.
To modify the type of parameter attr for the principal admin and to set
the Require Initial Authentication attribute, type kadmin at the
HP-UX prompt and specify the mod command, the principal name, the
attr parameter type, and the attribute.
Following is a sample output of the Require Initial Authentication
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui
t) :attr
Attribute (or quit): {tgt|notgt}
Principal modified.
The notgt command in kadmin is equivalent to selecting the Require
Initial Authentication in the tgt command in kadmin is equivalent
to clearing the Require Initial Authentication checkbox on the
Principal Information window>Attributes tab.