[15611] in Kerberos_V5_Development
Is this TGS-REP legal now?
daemon@ATHENA.MIT.EDU (Weijun Wang)
Thu Mar 18 03:43:43 2010
MIME-version: 1.0
Date: Thu, 18 Mar 2010 15:43:20 +0800
From: Weijun Wang <Weijun.Wang@sun.com>
To: krbdev@mit.edu
Message-id: <8233A0D2-3E67-4275-8AA2-2836148F3A8E@sun.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi All
A customer sends me a pcap file containing this TGS-REQ/TGS-REP pair. You can see that the sname in the returned ticket is different from the one requested. IIRC, in the case of cross-realm authentication, it's the client's responsibility to request for the inter-realm TGT. I've also checked draft-ietf-krb-wg-kerberos-referrals-11, and it says this KDC side friendly "recommendation" should only be done when the client requests for the "canonicalize" KDC option.
Is this still true today? Or, does MS Active Directory really act this way?
Kerberos TGS-REQ
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
Value: 6E8204B3308204AFA003020105A10302010EA20703050000... AP-REQ
Ticket
Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
Server Name (Service and Instance): krbtgt/NAEDEV.ADDEV.CUSTOMER.DOMAIN
KDC_REQ_BODY
KDCOptions: 00000000
Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
Server Name (Unknown): HTTP/www.exchaddev.customer.domain
Kerberos TGS-REP
Ticket
Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
Server Name (Service and Instance): krbtgt/ADDEV.CUSTOMER.DOMAIN
All parties Windows.
Thanks
Max
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev