MIT/Win2k/XP Kerberos trust relationship bug?

Rodney M Dyer rmdyer at uncc.edu
Tue Jul 13 14:54:58 EDT 2004


At 01:42 PM 7/13/04, Brian Davidson wrote:
>Hi,
>
>I saw this question in the archives (May 4, 2002), but with no 
>responses.  We're running into this issue, and I was wondering if there 
>was any workaround [yet]?

This may be the problem you have.  See the section "Very Important Notes", 
subsection "Bug in Microsoft/MIT Kerberos V5 replay detection breaks AD 
server shares".

http://www.coe.uncc.edu/~rmdyer/krblogon.htm

The MS patch description...

http://www.coe.uncc.edu/~rmdyer/Q811802_hotfix_info.htm

Rodney



>The configuration - MIT KDC is "primary" KDC, and Windows AD KDC trusts 
>the MIT KDC.
>
>The problem:
>1. From an XP workstation which a member of the AD, authenticate against 
>the MIT realm
>2. Lock the workstation
>3. Unlock the workstation
>
>At this point, you've lost virtually all of your tickets, and you can't 
>access resources in the AD.  I haven't found any patches, but maybe I 
>don't know the secret code word to put into the Microsoft Knowledgebase, 
>or Google.
>
>Based on packet traces, I'm convinced it's a Windows 2000/XP bug.  It's 
>the workstation which forgets its tickets, and then neglects to ask for 
>new ones.
>
>If there isn't a fix available, I guess I'll write a GINA which acts as a 
>pass-through to the default GINA for all GINA functions except for 
>WlxWkstaLockedSAS().  I'm assuming it's dumping the tickets when 
>WlxWkstaLockedSAS acquires a new TGT from the MIT realm...
>
>Thanks for any help,
>
>Brian Davidson
>George Mason University
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list