For example, if a client uses one principal for administrative operations and one for less privileged operation, an attacker may coerce a client into using the wrong privilege to either cause some later operation to succeed or fail.
Request for Comments: 6806 Painless Security Updates: 4120 K.
In normal operation as described in [RFC4120], a generated AP-REQ message includes in the Authenticator field a copy of the client's idea of its own principal name.
None of this requires the attacker to know the user's password, and without further checking, this could cause the user to unknowingly use the wrong credentials.
The clients will use this referral information to reach the realm of the target principal and then receive the ticket.
This memo also provides a mechanism for verifying that a request has not been tampered with in transit. Status of This Memo This is an Internet Standards Track document.