Hi Team, Thanks a lot for your reply. Still I am bit hazy on this point. Could you please clarify the following?
Do you mean to say, If we fill the preauth information with AS-REQ packet and send to KDC. -Then in that case, if client enters the password wrongly, then KDc returns the preauth failure error. (since time mismatch exists between KDC server and client) If we don't send the preauth information with AS-REQ packet: - Then the wrong pasword at client side results in password failure error. Since the preauth is disabled. (Though time mismatch exists more than 5 minutes) Conclusion: 1. Assume that, time difference between KDC and client is more than 5 minutes. (Let us say 24 hours). 2. If we don't send the preauth information with AS-REQ packet, and wrong password at client results in passwrod failure error (Even though time mismatch exists). 3. Because we did not send the preauth information from AS-REQ pkt, we will receive password failure but not preauth failure error. Is it right? Please let me know your thoughts. Thank you, -Surendra ----- Original Message ----- From: "Douglas E. Engert" <[EMAIL PROTECTED]> To: "Surendra Babu A" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Friday, February 03, 2006 9:12 PM Subject: Re: Shall I capture Kerberos-password failure error message ALONE? > > > Surendra Babu A wrote: > > > And one more thing: I am using Windows 2003 exchange server as my KDC server. > > AD does have alert messages about KDC failures. Note that the password is never > sent to the KDC. The KDC can only detect a failure if pre-auth is used, and the > client returns a pre-auth response encrypted in the wrong key generated from > the wrong password and salt. > > > > > Please let me know your thoughts. > > > > Thank you, > > -Surendra > > ----- Original Message ----- > > From: Surendra Babu A > > To: [email protected] > > Sent: Thursday, February 02, 2006 12:58 PM > > Subject: Shall I capture Kerberos-password failure error message ALONE? > > > > > > Hi Kerbros Team, > > > > If I enter the wrong passowrd at KDc client, the KDC server gives the response of PREAUTH_FAULRE error. Right? > > > > 1. Is there anyway, i can get password failure error message? Is it true that > > "Password verification will be done before sending preauth failure message?" > > > > > > 2. Can I capture the error message of password failure alone (regardless of preauth failure error?) That means, if I enter the wrong password, the KDC server should reply with error. If I enter correct password, KDC should respond with SUCCESS message (without considering the preauth failure error). Is it possible with krb5 code? > > > > Please let me know your thoughts. Thank you. > > -Surendra > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
