JAVASEC - Using Java client with Windows 2003 AD with mixed case PrincipalNames

Douglas E. Engert deengert at anl.gov
Fri Dec 3 17:14:19 EST 2004 


Seema Malkani wrote:
> Sun's implementation of Java GSS/Kerberos currently supports 
> PA-ENC-TIMESTAMP as per RFC 1510. The new pre-authentication types 
> specified in the Kerberos clarifications provide additional 
> pre-authentication. Support for these new pre-authentication types 
> PA-ETYPE-INFO and PA-ETYPE-INFO2 will be available in future J2SE release.

Yes it appears the PA-ENC-TIMESTAMP works, if it is encrypted using the
correct key. But if the salt or what 1510 referees to as an
'alternate "mix-in" string' is wrong the KDC returns with a error 24,
rather then a 25.

RFC 1510 does refer to the pa-pw-salt as a returned PA-DATA. Java
does not handle this in the 24 error. Although it is underspecified,
one could argue the Java implementation is not 1510 compliant.

Comments on the Kerberos mailing list from others indicate that the Java
code is not handling pre-auth correctly.

> 
> However, if you specify the etype correctly, you should not get the 
> pre-authentication error. You can specify the default encryption types 
> used by the Java client in the Kerberos configuration file.
> 

Its not an e-type problem, it is a wrong salt or failure of the client
to use the salt returned by the KDC.

You can easily test this with a network trace program, like Ethereal and
use the Java kinit against a Windows AD. Just change the case of one
of the letters in the principal name, and you will get a KRB5_ERROR
response with (24). If you look at the message you will see the salt
returned twice, as a PA-ETYPE-INFO and PA-SALT-DATA. (Ethereal has some
problems parsing these, but the salt is in the message.)

> [libdefaults]
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> permitted_enctypes   = des-cbc-md5 des-cbc-crc des3-cbc-sha1//
> 
> In addition, Windows allows to disable pre-authentication by selecting 
> "do not require Kerberos pre-authentication" in the AD account settings.
> 
> Seema
> 
> Douglas E. Engert wrote:
> 
>>
>>
>> Sam Hartman wrote:
>>
>>> All these issues have been discussed on the ietf-krb-wg list although
>>> never quite in the same place.
>>>
>>> Java is wrong in how it handles preauth; the advice in my preauth
>>> draft would be a better approach.
>>
>>
>>
>> I agree it is wrong. What I would like to see is the Java people
>> admit this and fix it and work in the krb-wg too.
>>
>>>
>>> AD is stretching clarifications significantly in how it handles case
>>> of principal names.  However it's much more usable than what other
>>> implementations do.  There was a long and heated discussion between
>>> Martin Rex and people at Microsoft over this issue.
>>
>>
>>
>> Some how I miss that point. Hopefully the explaination I put together
>> will get the Java people to do something about the preauth.
>>
>>
>>>
>>> --Sam
>>>
>>>
>>>
>>>
>>
> 
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list