MIT/Win2k/XP Kerberos trust relationship bug?
Rodney M Dyer
rmdyer at uncc.edu
Tue Jul 13 14:54:58 EDT 2004
At 01:42 PM 7/13/04, Brian Davidson wrote:
>Hi,
>
>I saw this question in the archives (May 4, 2002), but with no
>responses. We're running into this issue, and I was wondering if there
>was any workaround [yet]?
This may be the problem you have. See the section "Very Important Notes",
subsection "Bug in Microsoft/MIT Kerberos V5 replay detection breaks AD
server shares".
http://www.coe.uncc.edu/~rmdyer/krblogon.htm
The MS patch description...
http://www.coe.uncc.edu/~rmdyer/Q811802_hotfix_info.htm
Rodney
>The configuration - MIT KDC is "primary" KDC, and Windows AD KDC trusts
>the MIT KDC.
>
>The problem:
>1. From an XP workstation which a member of the AD, authenticate against
>the MIT realm
>2. Lock the workstation
>3. Unlock the workstation
>
>At this point, you've lost virtually all of your tickets, and you can't
>access resources in the AD. I haven't found any patches, but maybe I
>don't know the secret code word to put into the Microsoft Knowledgebase,
>or Google.
>
>Based on packet traces, I'm convinced it's a Windows 2000/XP bug. It's
>the workstation which forgets its tickets, and then neglects to ask for
>new ones.
>
>If there isn't a fix available, I guess I'll write a GINA which acts as a
>pass-through to the default GINA for all GINA functions except for
>WlxWkstaLockedSAS(). I'm assuming it's dumping the tickets when
>WlxWkstaLockedSAS acquires a new TGT from the MIT realm...
>
>Thanks for any help,
>
>Brian Davidson
>George Mason University
>
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list