Tim, in our setup we use computer accounts instead of user accounts, and don't have experienced this issue. I think the latest ktpass can do this with mapuser having a $ at the end.
See ktpass for 2003 SP1 http://www.microsoft.com/downloads/ThankYou.aspx?familyId=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displayLang=en Regards Markus ""Tim Alsop"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I wondered if anybody has any experience of this potential DoS issue : > > - It is common, when using Active Directory as a KDC for user accounts > to be used when creating service principals, and using the Microsoft > ktpass.exe utility to create a key table file. > > - It is also possible to configure Active Directory so that when a user > gets their password wrong more than a specific number of times their > account is locked until an administrator unlocks them. > > - If somebody tries to logon (deliberately, or by mistake) using an > account which is being used for a service principal, and gets the > password wrong many times, we assume that the account will be locked in > the same way as a normal user account would be locked. > > - If an account gets locked and it is being used for a service > principal, how does Active Directory handle this ? Does it still issue > service tickets for the principal when it receives a TGS request ? Is > there any special logic in AD so that accounts being used in this way > are not locked ? > > We plan to do some tests to understand what effect this might have, and > whether there is cause for concern, but I wanted to first see if anybody > else has come across this potential DoS, or has any ideas ? > > Any feedback welcome. > > Take care, > > Tim > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
