From 6561b13ccb504ba545b4e58fbe4c2f5dda3589cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sat, 31 Jan 2009 22:10:37 +0000
Subject: [PATCH] Verify flags after the user been required to prove its
 identity * with in a preauth mech, matches windows AD behavior.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24563 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 433cef0b9..e90a8ba8f 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1076,13 +1076,6 @@ _kdc_as_rep(krb5_context context,
     if(ret)
 	goto out;
 
-    ret = _kdc_check_flags(context, config,
-			   client, client_name,
-			   server, server_name,
-			   TRUE);
-    if(ret)
-	goto out;
-
     memset(&et, 0, sizeof(et));
     memset(&ek, 0, sizeof(ek));
 
@@ -1365,6 +1358,19 @@ _kdc_as_rep(krb5_context context,
 	goto out;
     }
 
+    /*
+     * Verify flags after the user been required to prove its identity
+     * with in a preauth mech.
+     */
+
+    ret = _kdc_check_flags(context, config,
+			   client, client_name,
+			   server, server_name,
+			   TRUE);
+    if(ret)
+	goto out;
+
+
     /*
      * Find the client key (for preauth ENC-TS verification and reply
      * encryption).  Then the best encryption type for the KDC and