Different error codes between AD KDC and MIT KDC
Mike Friedman
mikef at ack.Berkeley.EDU
Mon Jun 19 13:50:30 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 19 Jun 2006 at 12:42 (-0000), Jeffrey Altman wrote:
> Mike Friedman wrote:
>> I've been testing some Kerberos authentication code against both my MIT
>> K5 KDC and a Windows Active Directory KDC. In both cases, I'm using
>> pre-authentication. However, when I enter an incorrect password, the
>> MIT KDC returns 31 (decrypt integrity check failure), whereas the AD
>> KDC returns 24 (preauth failure). I'm just wondering what might
>> account for the different responses. ...
> It is a difference is the way the RFC 4120 was interpreted. Microsoft
> read section 3.1.3 to indicate that only KDC_ERR_PREAUTH_FAILED may be
> returned if the pre-authentication check fails. MIT has historically
> provided the more specific error when the failure condition when the
> known key fails to decrypt the request.
Indeed. In the course of my testing, I've discovered that Windows
Kerberos, in general, seems to provide less informative return codes than
MIT K5, in particular in their admin interface which is not, of course,
subject to the Kerberos protocol specs. For example, when changing a
password, I can't tell the reason for a rejected new password, only that
it's invalid.
Mike
_____________________________________________________________________
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
_____________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBRJbj6q0bf1iNr4mCEQKEvwCeNKZFmljdXvfetSxE5I+prFCvpVsAoNI5
4W5uPhwic2ml6q8BjTAbw5ek
=prrA
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list