Different error codes between AD KDC and MIT KDC

Mike Friedman mikef at ack.Berkeley.EDU
Mon Jun 19 13:50:30 EDT 2006

Hash: SHA1

On Mon, 19 Jun 2006 at 12:42 (-0000), Jeffrey Altman wrote:

> Mike Friedman wrote:
>> I've been testing some Kerberos authentication code against both my MIT 
>> K5 KDC and a Windows Active Directory KDC.  In both cases, I'm using 
>> pre-authentication.  However, when I enter an incorrect password, the 
>> MIT KDC returns 31 (decrypt integrity check failure), whereas the AD 
>> KDC returns 24 (preauth failure).  I'm just wondering what might 
>> account for the different responses. ...
> It is a difference is the way the RFC 4120 was interpreted.  Microsoft 
> read section 3.1.3 to indicate that only KDC_ERR_PREAUTH_FAILED may be 
> returned if the pre-authentication check fails.  MIT has historically 
> provided the more specific error when the failure condition when the 
> known key fails to decrypt the request.

Indeed.  In the course of my testing, I've discovered that Windows 
Kerberos, in general, seems to provide less informative return codes than 
MIT K5, in particular in their admin interface which is not, of course, 
subject to the Kerberos protocol specs.  For example, when changing a 
password, I can't tell the reason for a rejected new password, only that 
it's invalid.


Mike Friedman                   System and Network Security
mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu

Version: PGP 6.5.8


More information about the Kerberos mailing list