DCE KDC and win2k KDC crossrealm authentication problem

Oliver Winkelmann winkeol at uni-muenster.de
Wed Jun 12 05:38:36 EDT 2002 

Hello,

I try to set up a DCE 2.2 KDC <-> windows 2000 KDC trust-relationship
but there are still some problems. 
When I use an MIT KDC everything works fine and I can log on with 
my win2k workstation via the MIT KDC to the win2k DC.

I have used a network-sniffer (ethereal) to investigate the
Kerberos-Traffic
between the different machines. The user with his workstation 
can authenticate to the DCE KDC and gets a TGT for the DCE realm (Step
1), 
see below. Then he would like to get a service ticket for the win2k DC
and
gets this as well (Step 2). After the TGS-Request for the
win2k-realm-TGT (Step 3) 
an error ocurrs and on the workstation appears a Logon Message: The
system 
could not log youn on ...

    

1.	AS-REQ		win2k client     ->   	DCE KDC
	AS-REP		DCE KDC	         ->   	win2k_client 
2.	TGS-REQ		win2k client     ->   	DCE KDC
	TGS-REP		DCE KDC	         ->   	win2k client 
3.	TGS-REQ		win2k client     ->   	win2k DC & KDC
	KRB-ERROR	win2k DC & KDC   ->	win2k client

In my efforts to use a DCE KDC I find out that the win2k_client 
will only get an AS-REP from the DCE KDC when a special entry 
is created in the windows registry:

HKLM\System\CurrentControl\Control\Lsa\Kerberos\Domains\<your DCE realm
name>\RealmFlags
								KEY           VALUE NAME	
RealmFlags	REG_DWORD      1
VALUE NAME	DATA TYPE    Value

With this entry the win2k client puts its net address in the Kerberos
packet. 
The DCE KDC needs this!!! When a win2k workstation send an AS-REQ
without 
his net address (default) you receive an error in the reply UDP-packet:
Incorrect net address.


The last ethernet-frame in Step 3 (KRB-ERROR) contains this message:
 
Kerberos
    Version: 5
    MSG Type: KRB-ERROR
    stime: 2002-06-07 13:39:05 (Z)
    susec: 914988
    Error Code: KRB5KRB_AP_ERR_MODIFIED        <-- KRB-ERROR from win2k
DC, which means 
    realm: KERBTEST.XXX.YY                               Message stream
modified                             
    sname: krbtgt
        Type: Service and Instance
        Name: krbtgt
        Name: KERBTEST.XXX.YY

KERBTEST.XXX.YY is the win2k Kerberos realm. 
With an MIT KDC instead of a DCE KDC I get no error and an normal
TGS-REP. 

Has anyone solved this problem before? It's nearly impossible to 
find some information about this in the web. Or is their no 
interoperabillity between windows 2000 and DCE Kerberos implementation
??? 
That's a very important question for us in reference to our user
administration.

More information about the Kerberos mailing list