Kerberos, Windows2008 RODC and ticket forwarding Problem
Greg Hudson
ghudson at MIT.EDU
Mon Apr 16 11:20:40 EDT 2012
On 04/16/2012 10:36 AM, Sebastian Galiano wrote:
> I applied the patches to my clients, and still not working. Is there any way to test if the enconding has been placed correctly? Should I also apply the patch to the kdc?
No, it's not necessary to apply it to the KDC.
If you're using wireshark, you can look at how the kvno is encoded in a
TGS request. Expand the PA-TGS-REQ padata item, then the type and
value, then the Ticket in there, and then click on the Tkt-vno field.
Now look at the hex window below. You should see "02 LL" followed by
some highlighted bytes, where LL is between 01 and 05 and is equal to
the number of highlighted bytes.
For a TGS request to a Windows RODC, the kvno value will be large. The
interop issue arises when the kvno is between 2147483648 and 4294967295.
If such a value is encoded with five bytes, then the fix hasn't been
properly applied and the kvno encoding issue is your problem. If it's
encoded with four bytes, the interop fix has been properly applied and
your problem lies elsewhere.
More information about the Kerberos
mailing list