security hole in GSSContext acceptSecContext method? (JAVA)

Question

When the service ticket generated by the client is sent to the server, GSSContext acceptSecContext method is to decode the such ticket that was encoded by the KDC.

when this method is called with the service ticket as its parameter, is the ticket actually being sent to the KDC itself to be decoded?

Otherwise wouldn't this be a security issue? because if the server can decode any valid ticket that it knows nothing about other than the some client sent to it or what or whom the ticket is for?

little confused

Any clarification is greatly appreciated.

I have read that the Application Server and KDC does communicate but I do not think that's always true.

for example, take look at the sample server code

The application server logs in to get context

LoginContext loginCtx = null;
loginCtx = new LoginContext("SPN", new LoginCallbackHandler( id, password ));
loginCtx.login();
Subject subject = loginCtx.getSubject();

then using that sujbect, it will perform previlege doAs

Subject.doAs( subject, new PrivilegedAction<String>() {
  public void run() {
    try {
        GSSManager manager = GSSManager.getInstance();
        GSSContext context = manager.createContext( (GSSCredential) null);
        context.acceptSecContext( serviceTicket, 0, serviceTicket.length);
        // now do something with decoded ticket 
    }
...
}

Answer 1

is the ticket actually being sent to the KDC itself to be decoded?

No, the application server and the KDC do not communicate.

That's why you have to copy the keytab generated on the KDC onto the application server before using the system.

The server tries to decrypt the ticket and if he's able to do so then he assumes the ticket was generated by the KDC, because he's the only person who knows the password, then it's a valid ticket.

---

Pre-sharing keys / passwords before the system is effectively on and then never sending it over the network is a common mechanism in many authentication protocols, e.g radius