Kerberos, Windows2008 RODC and ticket forwarding Problem

Sebastian Galiano Sebastian.Galiano at spilgames.com
Thu Apr 19 02:37:23 EDT 2012


Ok. I followed your indications.  I have the 02 LL, being LL 01. So only one byte is highlighted : 05.
So, It is not a long value... it doesn't correspond with your problem description but I've been comparing the captures of my two tests:

1.  Not forwarding  cross realm authentication directly from the ssh server to access the NFS server (using RODC W2008), result it works.
2. Ticket forwarding cross realm authentication  from my desktop computer using a regular w2008 DC to the ssh server and then from there, try to access the NFS server but this time requesting the service ticket to a RODC using the forwarded ticket from my W2008 server. Result in doesnt work.

For me the main difference is that the field Name-Type is not being set. In the first case the in the Name-Type is set to Service and Instance in TGS Request. In the second case is set to unknown and Windows Server 2008 R2 RODC insists on TGS principal names having the  name type.

Could it be that the Name-Type must be setted somewhere else?

TGS-REG Capture image in the Case 2 :
http://imageshack.us/photo/my-images/526/kerberos.jpg/

________________________________________
From: Sebastian Galiano
Sent: 17 April 2012 09:07
To: Greg Hudson
Cc: kerberos at mit.edu
Subject: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem

Ok. I followed your indications.  As you can see in the capture I have the 02 LL, being LL 01. So 1 only one byte is highlighted , 05.
So, It is not a long value...
________________________________________
From: Greg Hudson [ghudson at MIT.EDU]
Sent: 16 April 2012 17:20
To: Sebastian Galiano
Cc: kerberos at mit.edu
Subject: Re: Kerberos, Windows2008 RODC and ticket forwarding Problem

On 04/16/2012 10:36 AM, Sebastian Galiano wrote:
> I applied the patches to my clients, and still not working. Is there any way to test if the enconding has been placed correctly? Should I also apply the patch to the kdc?

No, it's not necessary to apply it to the KDC.

If you're using wireshark, you can look at how the kvno is encoded in a
TGS request.  Expand the PA-TGS-REQ padata item, then the type and
value, then the Ticket in there, and then click on the Tkt-vno field.
Now look at the hex window below.  You should see "02 LL" followed by
some highlighted bytes, where LL is between 01 and 05 and is equal to
the number of highlighted bytes.

For a TGS request to a Windows RODC, the kvno value will be large.  The
interop issue arises when the kvno is between 2147483648 and 4294967295.
 If such a value is encoded with five bytes, then the fix hasn't been
properly applied and the kvno encoding issue is your problem.  If it's
encoded with four bytes, the interop fix has been properly applied and
your problem lies elsewhere.



More information about the Kerberos mailing list