Interoperability between W2K AD domain and Kerberos MIT KDC.
We try to log on a W2Kpro workstation member of an AD domain (ex : MICROSOFT.COM) with a MIT principal ([EMAIL PROTECTED])
Encryption type we choose is RC4-HMAC and we want to use Pre-auth.
Implementation:
Cf: kerberos step by step --> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
section "Setting Trust with a Kerberos Realm"
A cross realm relationship is set up between MICROSOFT.COM et MIT.COM. [EMAIL PROTECTED] is mapping [EMAIL PROTECTED]
Here is the configuration of [EMAIL PROTECTED]:
Principal: [EMAIL PROTECTED] Expiration date: [never] Last password change: Wed Feb 11 11:01:53 MET 2004 Password expiration date: [none] Maximum ticket life: 15 days 00:00:00 Maximum renewable life: 15 days 00:00:00 Last modified: Wed Feb 11 11:01:53 MET 2004 (root/[EMAIL PROTECTED]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 3 Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none]
Problem:
We can’t log on the Workstation with this configuration (CF logs)
test1: If PRE_AUTH is disabled for [EMAIL PROTECTED], it works.
test2: If PRE_AUTH is enabled, but only encryption type des-cbc-crc for [EMAIL PROTECTED], it works
Questions:
Is it possible to make this configuration work with both Pre-auth enabled and encryption rc4-hmac on MIT’s side?
If not, keeping the same configuration for MIT’s principal, is it possible to force the W2K workstation to use des-cbc-md5 as default encryption type at logon and not rc4-hmac for the MIT.COM realm?
Annexes: Windows error logs: Type de l'événement : Erreur Source de l'événement : Kerberos Catégorie de l'événement : Aucun ID de l'événement : 594 Date : 11/02/2004 Heure : 11:02:56 Utilisateur : N/A Ordinateur : TS Description : Réception d'un message d'erreur Kerberos : lors de l'ouverture de session LogonUser Heure du client : MIT.COM\user Heure du serveur : 8:48:25.0000 7/17/2000 Z Code d'erreur : 10:2:56.0000 2/11/2004 (null) 0x19 Erreur étendue : KDC_ERR_PREAUTH_REQUIRED Client du domaine Kerberos : MIT.COM Nom du client : rousset Serveur du domaine Kerberos : MIT.COM Nom du serveur : krbtgt/MIT.COM Nom cible : krbtgt/[EMAIL PROTECTED] Texte d'erreur : NEEDED_PREAUTH Fichier : Ligne : Les données d'erreur sont dans les données de l'enregistrement. Données : 0000: 30 5a 30 09 a1 03 02 01 0Z0.¡... 0008: 02 a2 02 04 00 30 20 a1 .¢...0 ¡ 0010: 03 02 01 0b a2 19 04 17 ....¢... 0018: 30 15 30 05 a0 03 02 01 0.0. ... 0020: 17 30 05 a0 03 02 01 01 .0. .... 0028: 30 05 a0 03 02 01 03 30 0. ....0 0030: 20 a1 03 02 01 13 a2 19 ¡....¢. 0038: 04 17 30 15 30 05 a0 03 ..0.0. . 0040: 02 01 17 30 05 a0 03 02 ...0. .. 0048: 01 01 30 05 a0 03 02 01 ..0. ... 0050: 03 30 09 a1 03 02 01 0d .0.¡.... 0058: a2 02 04 00 ¢...
log erreur KDC MIT
Feb 11 11:02:56 persee krb5kdc[1152](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.1.2: NEEDED_PREAUTH: [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required
Configuration:
Windows 2000 SP4 Time is synchronized between W2K and MIT KDC.
Thank you
Jeffrey Altman a écrit:
Alberto Patino wrote:
On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote:
I have verified with Microsoft that the default configuration of Windows 2003 does not allow the use of RC4-HMAC with MIT KDC Trust relationships. There is functionality to support this mode of operation
unfortunately there are no tools available to allow you to enable it.
I thougt that the inclusion of support for rc4-hmac encryption types in kdcs servers (MIT & Heimdal) was aimed to avoid the use of not-very-secure des-cbc-md5 and des-cbc-crc enc-types when you want interoperate between Windows and non windows kerberos realms.
The use of RC4-HMAC at present can only be used to obtain TGT and Service Tickets. It cannot be used for Cross Realm Trusts.
I have obtained the necessary information to construct a tool to enable RC4-HMAC support for MIT KDC Trust relationships and will endeavor to build one in the next day or two for inclusion within the final release of KfW 2.6. At the very least this tool will allow you to specify a MIT Realm Name and allow the RC4-HMAC flag to be toggled on or off.
Will this tool work with heimdal too?
As the tool affects the Windows 2003 Server LSA configuration, it should allow RC4-HMAC cross realm trusts to be configured with any non-MS KDC. (Assuming I can get it to work.)
Jeffrey Altman KfW Maintainer
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
