Java Pre-auth for Windows 2003 AD renamed accounts

Seema Malkani Seema.Malkani at Sun.COM
Thu Aug 18 21:54:20 EDT 2005


Sun's implementation of Java Kerberos has been updated to include 
support for the new Pre-authentication types. This support is available 
starting from Java SE 6.0 (Mustang Release). In addition, we are also 
looking into backporting this support to earlier releases of JDK.

Seema

Douglas E. Engert wrote:

> We have run into this same Java preauth problem from Febuary with 
> Kerbeors preauth
> again, but this time it was because some acocunts where renamed. The 
> problem
> is that the "salt" is uisng the old principal name and Java asumes it 
> knows
> the salt, and does not know how to request the "salt" from the KDC.
>
>
> I see the ietf-krb-wg will be having a meeting and Microsoft will be 
> hosting
> an interoperability event after the meeting. I would suggest that the 
> Java SUN
> people participate, I would like to see this problem solved.
>
>
> Seema Malkani wrote:
>
>> Douglas E. Engert wrote:
>>
>>
>>> MWChapel wrote:
>>>
>>>
>>>
>>>> which it fails, and since the pa-enc-timestamp is included,
>>>> windows should throw a KDC_ERR_PREAUTH_FAILED(24) as per rfc1510. But
>>>> the previous note is stating that we aren't handling the error 24. 
>>>> That
>>>> is where I tend to disagree, with the KDC_ERR_PREAUTH_FAILED there 
>>>> will
>>>> be no e-data provided as stated in rfc1510.  
>>>
>>>
>>> OK, I will agree with that, some KDCs may send extra data with 24 but
>>> not all.
>>>
>>
>> We do handle the preauth correctly when PA-ENC-TIMESTAMP is included;
>> however currently we do not support the new preauthentication types as
>> defined in the Kerberos clarifications. Sun's implementation of Java
>> GSS/Kerberos currently always includes the PA-ENC-TIMESTAMP, and if the
>> KDC returns error code 24 KDC_ERR_PREAUTH_FAILED, we do not process the
>> padata if included with it.
>>
>> I believe in MIT Kerberos implementation, the first AS-REQ does not
>> include preauth, KDC returns error 25 with the padata included in the
>> eData, and client then re-tries with the preauth using the new salt.
>>
>> As per RFC1510bis, the padata is included only when KDC returns error
>> code 25 KDC_ERR_PREAUTH_REQUIRED. Hence Kerberos implementations are
>> expected to process the padata only when error 25 is returned by the
>> KDC. If the the pa-enc-timestamp is included, KDCs do not return with
>> error code 25. However, some KDCs include the padata (new salt in the
>> case of mixed case) even with the error code 24 KDC_ERR_PREAUTH_FAILED.
>>
>> I agree, the solution here is not to include the pre-auth in the first
>> request. However, if the client knows what pre-authentication to use, it
>> may optimize the round-trip and include the pre-auth. However, if the
>> client includes the wrong pre-auth, how should the KDC/client handle is
>> not apparent.
>>
>> Should the KDC return error 24 or 25 ? If KDC returns the error 24 with
>> padata, should implementations ignore it, or retry with the new salt ?
>> In the case of mixed-case, should the KDC return an error 24 or 25 with
>> the new salt ? Seems like we have two cases :-
>> 1) PreAuth_Required, now retry (error code 25)
>> 2) PreAuth_Failed, no retry, client should fail. (error code 24)
>> Should there is a new error code for PreAuth_Failed, retry again ? Or
>> irrespective of the error code, client should always process padata if
>> included and retry ?
>>
>> Or let's say we have a scenario if preauth is not included in the first
>> request, KDC returns error 25 with the padata, and client re-tries with
>> the new salt; however, if the pre-authentication failed (due to various
>> reasons, such as further change to the mixed-case), should the KDC
>> return error 25 again with the new salt, or should KDC return error 24
>> with/without the padata ? Should the client process the padata and retry
>> again with the new salt ?
>>
>> Maybe the next Kerberos clarifications should clarify this particular
>> scenario.
>>
>> Seema
>>
>>
>>
>>
>




More information about the Kerberos mailing list