Denial of service when using Active Directory for KDC ?
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Thu May 5 13:57:49 EDT 2005
Hi,
I wondered if anybody has any experience of this potential DoS issue :
- It is common, when using Active Directory as a KDC for user accounts
to be used when creating service principals, and using the Microsoft
ktpass.exe utility to create a key table file.
- It is also possible to configure Active Directory so that when a user
gets their password wrong more than a specific number of times their
account is locked until an administrator unlocks them.
- If somebody tries to logon (deliberately, or by mistake) using an
account which is being used for a service principal, and gets the
password wrong many times, we assume that the account will be locked in
the same way as a normal user account would be locked.
- If an account gets locked and it is being used for a service
principal, how does Active Directory handle this ? Does it still issue
service tickets for the principal when it receives a TGS request ? Is
there any special logic in AD so that accounts being used in this way
are not locked ?
We plan to do some tests to understand what effect this might have, and
whether there is cause for concern, but I wanted to first see if anybody
else has come across this potential DoS, or has any ideas ?
Any feedback welcome.
Take care,
Tim
More information about the Kerberos
mailing list