Decrypting KRB_AS_REP ticket
Douglas E. Engert
deengert at anl.gov
Tue May 10 10:15:20 EDT 2005
Kallapur, Madhusudan V wrote:
> Hi,
>
>
>
> I am trying to create a quick prototype for a kerberized service which
> would look at the authorization data( with SID's) present in the service
> ticket and accept/reject the service request. To start with, I created
> an SPN in the active directory(windows 2003 Domain controller /KDC) for
> this service using "ktpass" with -princ -mapuser options with -crypto
> being RC4-HMAC-NT. Then I created a service ticket for this service
> using "kinit -S service" option, I did this from a linux client in the
> same domain with a user account. Now I am trying to decrypt the
> KRB_AS_REP packet which contains the service ticket and get the
> authorization data.
I would suspect that the KRB_AS_REP enc-part is encrypted in the
user's key. The enc-part (EncTicketPart) of the Ticket in the KREB_AS_REP
would be in encrypted in the servers's key.
I used the "krb5_arcfour_decrypt" API for the
> decryption. I see that the decryption fails with
> KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
> the "ktpass" tool after it created the keytab file, to decrypt the
> service ticket.
>
>
Sounds like you are too low a level in the Kerberos API, and may be
missing some thing, like a key derivation.
You may want to look at krb5_decrypt_tkt_part in decrypt_tk.c
which is used by b5_rd_req_decrypt_tkt_part to process the KRB_AP_REQ
which is what the server would normally use.
>
> I am suspecting that the key used by the KDC for generating this service
> request may be different than the one thrown out by "ktpass".
>
> Has anyone seen this before ? Does anyone know why this is not working ?
>
>
>
> Any help/suggestions would be greatly appreciated.
>
>
>
> Thanks,
>
> Madhu
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list