-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 19 Jun 2006 at 12:42 (-0000), Jeffrey Altman wrote:
> Mike Friedman wrote: >> I've been testing some Kerberos authentication code against both my MIT >> K5 KDC and a Windows Active Directory KDC. In both cases, I'm using >> pre-authentication. However, when I enter an incorrect password, the >> MIT KDC returns 31 (decrypt integrity check failure), whereas the AD >> KDC returns 24 (preauth failure). I'm just wondering what might >> account for the different responses. ... > It is a difference is the way the RFC 4120 was interpreted. Microsoft > read section 3.1.3 to indicate that only KDC_ERR_PREAUTH_FAILED may be > returned if the pre-authentication check fails. MIT has historically > provided the more specific error when the failure condition when the > known key fails to decrypt the request. Indeed. In the course of my testing, I've discovered that Windows Kerberos, in general, seems to provide less informative return codes than MIT K5, in particular in their admin interface which is not, of course, subject to the Kerberos protocol specs. For example, when changing a password, I can't tell the reason for a rejected new password, only that it's invalid. Mike _____________________________________________________________________ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu _____________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBRJbj6q0bf1iNr4mCEQKEvwCeNKZFmljdXvfetSxE5I+prFCvpVsAoNI5 4W5uPhwic2ml6q8BjTAbw5ek =prrA -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
