Hi everyone,
We have an application with Windows client + AD domain, for S4USelf, it works
well.
In our application, it calls LSALogonUser() to impersonate a user which will
use S4USelf by setting up Windows structure KERB_S4U_LOGON.
Now we wants to switch from Windows AD to MIT KDC. Currently windows can be
authenticated by MIT KDC without any problem but Windows API LSALogonUser() in
our application fails.
Problem 1:
When LSALogonUser() is called, it has following error:
Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0,
host/[email protected]<mailto:host/[email protected]>
for host\/[email protected], Server not found in Kerberos
database
In fact, principle
"host/[email protected]<mailto:host/[email protected]>"
exists. By Wireshark I can see Windows sends
"host/[email protected]<mailto:host/[email protected]>"
as sname, KDC converts the sname to host\/[email protected].
I have a look at the code but find no parameters or setting can change this
behavior.
Problem 2:
Sometimes, AS-REQ and TGS-REQ are all ok in MIT KDC but on Windows, it reports
this error in Windows Event Viewer after call LSALogonUser():
The digitally signed Privilege Attribute Certificate (PAC) that contains the
authorization information for client user in realm MYLAB.COM could not be
validated.
This error is usually caused by domain trust failures; Contact your system
administrator.
I also test "kvno -U user" on the same windows machine, and it works.
>From MIT Kerberos document, I can see S4U can be supported. My question is
>that for S4U, does MIT KDC have interoperability with Windows API? Any
>feedback will be greatly appreciated.
I'm a newbie in Kerberos, thanks for your help!
Regards
================================
Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA 02451 ?
Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support:
https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences -
http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of
Rocket Software, Inc. All unauthorized use, disclosure or distribution is
prohibited. If you are not the intended recipient, please notify Rocket
Software immediately and destroy all copies of this communication. Thank you.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
