[15611] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Is this TGS-REP legal now?

daemon@ATHENA.MIT.EDU (Weijun Wang)
Thu Mar 18 03:43:43 2010

MIME-version: 1.0
Date: Thu, 18 Mar 2010 15:43:20 +0800
From: Weijun Wang <Weijun.Wang@sun.com>
To: krbdev@mit.edu
Message-id: <8233A0D2-3E67-4275-8AA2-2836148F3A8E@sun.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Hi All

A customer sends me a pcap file containing this TGS-REQ/TGS-REP pair. You can see that the sname in the returned ticket is different from the one requested. IIRC, in the case of cross-realm authentication, it's the client's responsibility to request for the inter-realm TGT. I've also checked draft-ietf-krb-wg-kerberos-referrals-11, and it says this KDC side friendly "recommendation" should only be done when the client requests for the "canonicalize" KDC option.

Is this still true today? Or, does MS Active Directory really act this way?

Kerberos TGS-REQ
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
            Value: 6E8204B3308204AFA003020105A10302010EA20703050000... AP-REQ
                Ticket
                    Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
                    Server Name (Service and Instance): krbtgt/NAEDEV.ADDEV.CUSTOMER.DOMAIN
    KDC_REQ_BODY
        KDCOptions: 00000000
        Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
        Server Name (Unknown): HTTP/www.exchaddev.customer.domain

Kerberos TGS-REP
    Ticket
        Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
        Server Name (Service and Instance): krbtgt/ADDEV.CUSTOMER.DOMAIN

All parties Windows.

Thanks
Max

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post