Kerberos, Windows2008 RODC and ticket forwarding Problem

Tom Yu tlyu at MIT.EDU
Thu Apr 19 13:19:13 EDT 2012


Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> Ok. I followed your indications.  I have the 02 LL, being LL 01. So only one byte is highlighted : 05.

The number 5 is slightly suspicious in this context, so I looked at
your image capture.  You've highlighted the protocol version number
for the Ticket PDU, which is always a constant integer 5: "tkt-vno [0]
INTEGER (5)"... you're looking for the kvno of the EncryptedData
that's inside the Ticket.  At offset 0x097, there is "A1 03 02 01 02",
which is an integer with tag [1] and value 2 -- the kvno field of the
EncryptedData inside the Ticket.

> So, It is not a long value... it doesn't correspond with your problem description but I've been comparing the captures of my two tests:

So you are right that the kvno in question isn't long enough to
exhibit the problem that Greg was describing.

> 1.  Not forwarding  cross realm authentication directly from the ssh server to access the NFS server (using RODC W2008), result it works.
> 2. Ticket forwarding cross realm authentication  from my desktop computer using a regular w2008 DC to the ssh server and then from there, try to access the NFS server but this time requesting the service ticket to a RODC using the forwarded ticket from my W2008 server. Result in doesnt work.
>
> For me the main difference is that the field Name-Type is not being set. In the first case the in the Name-Type is set to Service and Instance in TGS Request. In the second case is set to unknown and Windows Server 2008 R2 RODC insists on TGS principal names having the  name type.
>
> Could it be that the Name-Type must be setted somewhere else?

It could be that the fix for setting the name-type of the TGS
principal was not complete.  We'll look more closely.

> TGS-REG Capture image in the Case 2 :
> http://imageshack.us/photo/my-images/526/kerberos.jpg/


More information about the Kerberos mailing list