AD MIT Interoperability rc4-hmac

rousset denis.rousset at cea.fr
Thu Feb 19 03:19:55 EST 2004 

Here is my problem explained accuratly:

Interoperability between W2K AD domain and Kerberos MIT KDC.

We try to log on a W2Kpro workstation member of an AD domain (ex : 
MICROSOFT.COM) with a MIT principal (user at MIT.COM)

Encryption type we choose is RC4-HMAC and we want to use Pre-auth.

Implementation:

Cf: kerberos step by step --> 
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
section "Setting Trust with a Kerberos Realm"

A cross realm relationship is set up between MICROSOFT.COM et MIT.COM.
user at MICROSOFT.COM is mapping user at MIT.COM

Here is the configuration of user at MIT.COM:

Principal: user at MIT.COM
Expiration date: [never]
Last password change: Wed Feb 11 11:01:53 MET 2004
Password expiration date: [none]
Maximum ticket life: 15 days 00:00:00
Maximum renewable life: 15 days 00:00:00
Last modified: Wed Feb 11 11:01:53 MET 2004 (root/admin at MIT.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


Problem:

We can’t log on the Workstation with this configuration (CF logs)
test1: If PRE_AUTH is disabled for user at MIT.COM, it works.
test2: If PRE_AUTH is enabled, but only encryption type des-cbc-crc for 
user at MIT.COM, it works

Questions:

Is it possible to make this configuration work with both Pre-auth 
enabled and encryption rc4-hmac on MIT’s side?
If not, keeping the same configuration for MIT’s principal, is it 
possible to force the W2K workstation to use des-cbc-md5 as default 
encryption type at logon and not rc4-hmac for the MIT.COM realm?

Annexes:
Windows error logs:
Type de l'événement : Erreur
Source de l'événement : Kerberos
Catégorie de l'événement : Aucun
ID de l'événement : 594
Date : 11/02/2004
Heure : 11:02:56
Utilisateur : N/A
Ordinateur : TS
Description :
Réception d'un message d'erreur Kerberos :
lors de l'ouverture de session LogonUser
Heure du client : MIT.COM\user
Heure du serveur : 8:48:25.0000 7/17/2000 Z
Code d'erreur : 10:2:56.0000 2/11/2004 (null) 0x19
Erreur étendue : KDC_ERR_PREAUTH_REQUIRED
Client du domaine Kerberos : MIT.COM
Nom du client : rousset
Serveur du domaine Kerberos : MIT.COM
Nom du serveur : krbtgt/MIT.COM
Nom cible : krbtgt/MIT.COM at MIT.COM
Texte d'erreur : NEEDED_PREAUTH
Fichier :
Ligne :
Les données d'erreur sont dans les données de l'enregistrement.
Données :
0000: 30 5a 30 09 a1 03 02 01 0Z0.¡...
0008: 02 a2 02 04 00 30 20 a1 .¢...0 ¡
0010: 03 02 01 0b a2 19 04 17 ....¢...
0018: 30 15 30 05 a0 03 02 01 0.0. ...
0020: 17 30 05 a0 03 02 01 01 .0. ....
0028: 30 05 a0 03 02 01 03 30 0. ....0
0030: 20 a1 03 02 01 13 a2 19 ¡....¢.
0038: 04 17 30 15 30 05 a0 03 ..0.0. .
0040: 02 01 17 30 05 a0 03 02 ...0. ..
0048: 01 01 30 05 a0 03 02 01 ..0. ...
0050: 03 30 09 a1 03 02 01 0d .0.¡....
0058: a2 02 04 00 ¢...

log erreur KDC MIT

Feb 11 11:02:56 persee krb5kdc[1152](info): AS_REQ (7 etypes {23 -133 
-128 3 1 24 -135}) 192.168.1.2: NEEDED_PREAUTH: user at MIT.COM for 
krbtgt/MIT.COM at MIT.COM, Additional pre-authentication required

Configuration:

Windows 2000 SP4
Time is synchronized between W2K and MIT KDC.


Thank you





Jeffrey Altman a écrit:

> Alberto Patino wrote:
>
>> On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote:
>>
>>> I have verified with Microsoft that the default configuration of 
>>> Windows 2003 does not allow the use of RC4-HMAC with MIT KDC Trust 
>>> relationships. There is functionality to support this mode of operation
>>> unfortunately there are no tools available to allow you to enable it.
>>>
>>
>> I thougt that the inclusion of support for rc4-hmac encryption types in
>> kdcs servers (MIT & Heimdal) was aimed to avoid the use of
>> not-very-secure des-cbc-md5 and des-cbc-crc enc-types when you want
>> interoperate between Windows and non windows kerberos realms.
>
>
> The use of RC4-HMAC at present can only be used to obtain TGT and
> Service Tickets. It cannot be used for Cross Realm Trusts.
>
>>> I have obtained the necessary information to construct a tool to enable
>>> RC4-HMAC support for MIT KDC Trust relationships and will endeavor to
>>> build one in the next day or two for inclusion within the final release
>>> of KfW 2.6. At the very least this tool will allow you to specify a
>>> MIT Realm Name and allow the RC4-HMAC flag to be toggled on or off.
>>>
>>
>> Will this tool work with heimdal too?
>
>
> As the tool affects the Windows 2003 Server LSA configuration, it should
> allow RC4-HMAC cross realm trusts to be configured with any non-MS KDC.
> (Assuming I can get it to work.)
>
> Jeffrey Altman
> KfW Maintainer
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

More information about the Kerberos mailing list