[24030] in Kerberos
RE: kerberos authentication for apache on windows
daemon@ATHENA.MIT.EDU (jas@aql.fr)
Mon Jun 6 10:45:35 2005
Message-ID: <20050606154532.0grtn8ynoso4cc44@webmail.aql.fr>
Date: Mon, 6 Jun 2005 15:45:32 +0200
From: jas@aql.fr
To: kerberos@mit.edu
In-Reply-To: <OFBEB9F262.8AB99ECF-ON85257018.00474817-85257018.004952CF@db.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset=UTF-8;
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Reply-To: julien.allanos@aql.fr
Errors-To: kerberos-bounces@mit.edu
Selon Frank Balluffi <frank.balluffi@db.com>:
> Julien ALLANOS said:
>
>> I am now facing to the following problem: browsers don't send NTLM
> tokens
>> anymore but SPNEGO tokens (I believe). I don't really know what I did to
> make
>> it work, but heh, it works. That's good.
>
> For both NTLM and SPNEGO tokens, IE should send:
>
> Authorization: Negotiate
>
> followed by a base64-encoded token. To determine the type of token,
> capture and base64-decode the token. NTLM tokens begin with hex 4E 54 4C
> 4D 53 53 50 which corresponds to "NTLMSSP" and SPNEGO tokens begin with
> hex 60 ... 06 06 2B 06 01 05 05 02 where ... is between 1 and 3 bytes long
> (most commonly 3 bytes). 06 06 2B 06 01 05 05 02 means 1.3.6.1.5.5.2,
> which identifies the SPNEGO GSSAPI mechanism.
>
> Frank
>
I've sniffed on port 88 but I didn't see any packet. Probably because browser,
KDC and web server are on the same machine? (I have only 1 machine on
my domain
atm).
However, I can see the Authorization header (Negotiate + Base64 stuff) in the
second GET request to the web server. The token begins with: 60 82 04 c7 06 06
2b 06 01 05 05 02, which seems to be a SPNEGO token.
Is the service name encoded somewhere in this token? If I look at it as plain
text, I can see:
�0� ����¡���ADCASSARD.JAS.AQL.FR¢'0%
����¡�0���HTTP��adcassard.jas.aql.fr£�F0�B ����¡����
so I believe the requested principal is
HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR, which doesn't match what is
inside the keytab
(HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR). Then I
created a new keytab with the new service name, but it didn't change
anything, I
still got the no match error.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
