Shall I capture Kerberos-password failure error message ALONE?

Surendra Babu A surendra.a at samsung.com
Mon Feb 6 06:41:41 EST 2006


Hi Team,

Thanks a lot for your reply. Still I am bit hazy on this point. Could you
please clarify the following?

Do you mean to say,

If we fill the preauth information with AS-REQ packet and send to KDC.
-Then in that case, if client enters the password wrongly, then KDc returns
the preauth failure error. (since time mismatch exists between KDC server
and client)

If we don't send the preauth information with AS-REQ packet:
- Then the wrong pasword at client side results in password failure error.
Since the preauth is disabled. (Though time mismatch exists more than 5
minutes)

Conclusion:
1. Assume that, time difference between KDC and client is more than 5
minutes. (Let us say 24 hours).
2. If we don't send the preauth information with AS-REQ packet, and wrong
password at client results in passwrod failure error (Even though time
mismatch exists).
3. Because we did not send the preauth information from AS-REQ pkt, we will
receive password failure but not preauth failure error.

Is it right? Please let me know your thoughts.

Thank you,
-Surendra

----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: "Surendra Babu A" <surendra.a at samsung.com>
Cc: <kerberos at mit.edu>
Sent: Friday, February 03, 2006 9:12 PM
Subject: Re: Shall I capture Kerberos-password failure error message ALONE?


>
>
> Surendra Babu A wrote:
>
> > And one more thing: I am using Windows 2003 exchange server as my KDC
server.
>
> AD does have alert messages about KDC failures. Note that the password is
never
> sent to the KDC. The KDC can only detect a failure if pre-auth is used,
and the
> client returns a pre-auth response encrypted in the wrong key generated
from
> the wrong password and salt.
>
> >
> > Please let me know your thoughts.
> >
> > Thank you,
> > -Surendra
> >   ----- Original Message ----- 
> >   From: Surendra Babu A
> >   To: kerberos at mit.edu
> >   Sent: Thursday, February 02, 2006 12:58 PM
> >   Subject: Shall I capture Kerberos-password failure error message
ALONE?
> >
> >
> >   Hi Kerbros Team,
> >
> >   If I enter the wrong passowrd at KDc client, the KDC server gives the
response of PREAUTH_FAULRE error. Right?
> >
> >   1. Is there anyway, i can get password failure error message? Is it
true that
> >   "Password verification will be done before sending preauth failure
message?"
> >
> >
> >   2. Can I capture the error message of password failure alone
(regardless of preauth failure error?) That means, if I enter the wrong
password, the KDC server should reply with error. If I enter correct
password, KDC should respond with SUCCESS message (without considering the
preauth failure error). Is it possible with krb5 code?
> >
> >   Please let me know your thoughts. Thank you.
> >   -Surendra
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> -- 
>
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>
>




More information about the Kerberos mailing list