Denial of service when using Active Directory for KDC ?

[Markus Moeller]

Tim,
in our setup we use computer accounts instead of user accounts, and don't
have experienced this issue. I think the latest ktpass can do this with
mapuser having a $ at the end.

See ktpass for 2003 SP1
http://www.microsoft.com/downloads/ThankYou.aspx?familyId=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displayLang=en

Regards
Markus

""Tim Alsop"" <Tim.Alsop at cybersafe.ltd.uk> wrote in message 
news:0D8F2EFD3A10E24DAEEA48EA6DA07D30152DD4 at postman-pat.csafe.local...
> Hi,
>
> I wondered if anybody has any experience of this potential DoS issue :
>
> - It is common, when using Active Directory as a KDC for user accounts
> to be used when creating service principals, and using the Microsoft
> ktpass.exe utility to create a key table file.
>
> - It is also possible to configure Active Directory so that when a user
> gets their password wrong more than a specific number of times their
> account is locked until an administrator unlocks them.
>
> - If somebody tries to logon (deliberately, or by mistake) using an
> account which is being used for a service principal, and gets the
> password wrong many times, we assume that the account will be locked in
> the same way as a normal user account would be locked.
>
> - If an account gets locked and it is being used for a service
> principal, how does Active Directory handle this ? Does it still issue
> service tickets for the principal when it receives a TGS request ? Is
> there any special logic in AD so that accounts being used in this way
> are not locked ?
>
> We plan to do some tests to understand what effect this might have, and
> whether there is cause for concern, but I wanted to first see if anybody
> else has come across this potential DoS, or has any ideas ?
>
> Any feedback welcome.
>
> Take care,
>
> Tim
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>