Has anyone been able to get a Windows 10 client to authenticate
against a Kerby KDC?
Java clients are successfully authenticating to this KDC.
I'm trying to test Windows 10 as a client and Windows is complaining:
"An unsupported preauthentication mechanism was presented to the
Kerberos package."
Looking at a packet trace the AS_REQ contains no PA data so Kerby
returns an error saying ERR_PREAUTH_REQUIRED. Here are the request and
reply packets:
Frame 4: 229 bytes on wire (1832 bits), 229 bytes captured (1832 bits)
on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.191.14, Dst: 192.168.191.8
Transmission Control Protocol, Src Port: 1595, Dst Port: 88, Seq: 1,
Ack: 1, Len: 173
Kerberos
Record Mark: 169 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 1010 1001 = Record Length: 169
as-req
pvno: 5
msg-type: krb-as-req (10)
req-body
Padding: 0
kdc-options: 40800010 (forwardable, renewable, renewable-ok)
0... .... = reserved: False
.1.. .... = forwardable: True
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
1... .... = renewable: True
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... ..0. = request-anonymous: False
.... ...0 = canonicalize: False
0... .... = constrained-delegation: False
..0. .... = disable-transited-check: False
...1 .... = renewable-ok: True
.... 0... = enc-tkt-in-skey: False
.... ..0. = renew: False
.... ...0 = validate: False
cname
name-type: kRB5-NT-PRINCIPAL (1)
cname-string: 1 item
CNameString: rfeezel
realm: PRODENTITY2.COM
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: PRODENTITY2.COM
till: 2037-09-13 02:48:05 (UTC)
rtime: 2037-09-13 02:48:05 (UTC)
nonce: 555337712
etype: 3 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-DES-CBC-MD5 (3)
Frame 6: 221 bytes on wire (1768 bits), 221 bytes captured (1768 bits)
on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.191.8, Dst: 192.168.191.14
Transmission Control Protocol, Src Port: 88, Dst Port: 1595, Seq: 1,
Ack: 174, Len: 165
Kerberos
Record Mark: 161 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 1010 0001 = Record Length: 161
krb-error
pvno: 5
msg-type: krb-error (30)
stime: 2017-06-27 03:51:16 (UTC)
susec: 100
error-code: eRR-PREAUTH-REQUIRED (25)
realm: PRODENTITY2.COM
sname
name-type: kRB5-NT-PRINCIPAL (1)
sname-string: 1 item
SNameString: rfeezel
e-text: Additional pre-authentication required
e-data: 301b3019a103020113a2120410300e3005a0030201123005...
PA-DATA PA-ENCTYPE-INFO2
padata-type: kRB5-PADATA-ETYPE-INFO2 (19)
padata-value: 300e3005a0030201123005a003020111
ETYPE-INFO2-ENTRY
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ETYPE-INFO2-ENTRY
etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
--
Richard M Feezel
[email protected]
