handling of kerberos error in win2k
Jeffrey Altman
jaltman2 at nyc.rr.com
Mon Jun 21 09:36:09 EDT 2004
When KDC_ERR_PREAUTH_REQUIRED is returned by the KDC,
the client will examine the KRB_ERROR data to determine
if the client understands the desired type of pre-authentication
data which is required. If it does, it will simply return the
necessary information. If it does and requires user input
the Kerberos SSP/AP will prompt the user for the necessary
input. If the required pre-auth data cannot be provided the
Kerberos SSP/AP will return a failure code to the LSA which
in turn will log to the event log.
Jeffrey Altman
Lara Adianto wrote:
> hi,
>
> I found a little light in my search, but haven't found
> a complete answer yet:
>
> When a user invoke the SAS sequence, winlogon will
> call GINA function: WlxWkstatLockedSAS, which in turn
> will call LsaLogonUser.
> LsaLogonUser does the authentication. If the
> authentication fails, it may return for example
> STATUS_LOGON_FAILURE (if username or password are
> wrong), STATUS_ACCOUNT_RESTRICTION (for example if the
> username and password are correct but the password has
> expired). In the later case, the LsaLogonUser will set
> SubStatus to STATUS_PASSWORD_EXPIRED. (I simplify the
> whole process to my own needs by the way, it should be
> more complicated than this)
>
> So I conclude (correct me if I'm wrong) that when the
> KDC returns KDC_ERR_PREAUTH_REQUIRED, LsaLogonUser
> will simply return STATUS_LOGON_FAILURE to GINA or
> STATUS_ACCOUNT_RESTRICTION when the KDC returns
> KDC_ERR_KEY_EXPIRED.
>
> In case of KDC_ERR_PREAUTH_REQUIRED, is there any way
> for GINA to know that the exact error code, and not
> just STATUS_LOGON_FAILURE ?
>
> -lara-
>
> --- Lara Adianto <m1r4cle_26 at yahoo.com> wrote:
>
>>Hi,
>>
>>I'm experimenting with MIT KDC and windows 2000 as
>>the
>>client that authenticates to MIT KDC, and I might
>>need
>>to replace the GINA in the windows client in order
>>to
>>achieve what I want.
>>
>>Does anybody know, in windows 2000, who (LSA, GINA,
>>SSP) handles the following issue and how it is
>>handled
>>?
>>1. If the authentication is failed because MIT KDC
>>returns KDC_ERR_PREAUTH_REQUIRED or
>>KDC_ERR_KEY_EXPIRED, how does the SSP (I believe
>>it's
>>SSP who captured this error from KDC) tell the GINA
>>about the failed login ? Will SSP tell GINA the
>>exact
>>error message (KDC_ERR_PREAUTH_REQUIRED or
>>KDC_ERR_KEY_EXPIRED) or will SSP return another type
>>of error code or even a general error code (in this
>>case GINA is not aware of what caused the error) ?
>>
>>2. who (GINA, LSA,...) logs the error to event
>>viewer
>>?
>>
>>This might not be the right forum to discuss it, but
>>I'm not sure to which mailing list I can address
>>this
>>issue
>>
>>thank you,
>>lara
>>
>>=====
>>
>
> ------------------------------------------------------------------------------------
>
>>La vie, voyez-vous, ca n'est jamais si bon ni si
>>mauvais qu'on croit
>>
>> - Guy de Maupassant -
>>
>
> ------------------------------------------------------------------------------------
>
>>
>>
>>__________________________________
>>Do you Yahoo!?
>>Yahoo! Mail Address AutoComplete - You start. We
>>finish.
>>http://promotions.yahoo.com/new_mail
>>
>
>
>
> =====
> ------------------------------------------------------------------------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
> - Guy de Maupassant -
> ------------------------------------------------------------------------------------
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list