Hi guys, I'm having trouble using Kerberos over HTTP on Windows (Win2k client, server and KDC). I know this is strictly an MIT Kerberos list, but I've also seen archived posts on Windows AD help, and I really am at my wits end with this.
I am using the jcifs-ext package with Java (testing on 1.4.1, 1.4.2 and 1.5), which does SPNEGO encryption on the tickets to make use of the Negotiate protocol in IE. Via ethereal on both client and server I have found the following: The client send the KDC an AS-REQ and gets back a DES encrypted AS-REP. Then it sends a TGS-REQ, but specifies 7 different encryption types (5 HMAC, 2 DES). The TGS-REP which is sent back from the KDC is encrypted in DES-CBC-MD5 but the Ticket inside is in RC4-HMAC format. The Negotiate header is then formed and sent to the server. Incidentally, it *is* Kerberos Negotiate data not Negotiate wrapped NTLM data, as it begins with YIIE0WG... Not the NTLM equivalent. Also, the data spans 2 TCP messages, could this be a problem? I know that TCP is used when the message is too big for UDP, but this happens even if I turn "Do Not Require Kerberos Preauthentication" on in AD on all accounts. Both client and server user accounts have been set to use DES encryption in AD, as has the service principal account. All have had their passwords reset after changing the DES property. The keytab file was created after all of this with ktpass- specifying DES encryption too, and was placed on the server. When I execute the program, the usual Java debug info appears, everything seems fine: the keytab is found, Etype (which I'm assuming means "this message will be encrypted using...") is DesCbcCrcEType etc. In Ethereal, the app fails after an AP-REQ and AP-REP on the Server side, but no errors are shown on Ethereal. Both messages use DES-CBC-CRC encryption. The resulting stack trace by Java is caused by a KrbException, saying: "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC", and is thrown from sun.security.krb5.KrbApReq.a(DashoA12275:261). I have no idea where this HMAC encryption is coming from. That said, via the tools in the MS Resource Kit, I can see the Tickets on the local machines. There are 2 on each, 1 is for the krbtgt service on the KDC whose Ticket is encrypted in DES-CBC-MD5 and the Key with "etype 0". The other is called the same as the opposing machine but has a $ symbol after is, eg KERBEROSSERVER$ on the client. These are encrypted with RSADSI RC4-HMAC for both Ticket and Key. I have no idea what this latter ticket is for? Was it created by the LSA? My real question is where is all this RC4-HMAC encryption coming from if there is no trace of it in AD? Thanks, David ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
