Decrypting KRB_AS_REP ticket
Kallapur, Madhusudan V
madhusudan.v.kallapur at intel.com
Mon May 9 17:23:24 EDT 2005
Hi,
I am trying to create a quick prototype for a kerberized service which
would look at the authorization data( with SID's) present in the service
ticket and accept/reject the service request. To start with, I created
an SPN in the active directory(windows 2003 Domain controller /KDC) for
this service using "ktpass" with -princ -mapuser options with -crypto
being RC4-HMAC-NT. Then I created a service ticket for this service
using "kinit -S service" option, I did this from a linux client in the
same domain with a user account. Now I am trying to decrypt the
KRB_AS_REP packet which contains the service ticket and get the
authorization data. I used the "krb5_arcfour_decrypt" API for the
decryption. I see that the decryption fails with
KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
the "ktpass" tool after it created the keytab file, to decrypt the
service ticket.
I am suspecting that the key used by the KDC for generating this service
request may be different than the one thrown out by "ktpass".
Has anyone seen this before ? Does anyone know why this is not working ?
Any help/suggestions would be greatly appreciated.
Thanks,
Madhu
More information about the Kerberos
mailing list