MIT Kerberos OTP with Windows

Charles Hedrick hedrick at rutgers.edu
Fri Nov 3 09:53:55 EDT 2017


Here’s the conversation using tcpdump on the proxy server. The connection opens, no data is sent in either direction, and KfW closes it.

In case it matters, KfW is running in Windows 10 Fall Creator’s Update in a VM on a Mac.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
09:48:51.655867 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [S], seq 1112026556, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 348866560 ecr 0,sackOK,eol], length 0
09:48:51.655986 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [S.], seq 990987710, ack 1112026557, win 28960, options [mss 1460,sackOK,TS val 32546177 ecr 348866560,nop,wscale 7], length 0
09:48:51.656291 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
09:48:51.656783 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [F.], seq 1, ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
09:48:51.657145 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 32546178 ecr 348866560], length 0
09:48:51.657401 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 2, win 4117, options [nop,nop,TS val 348866561 ecr 32546178], length 0


> On Nov 3, 2017, at 9:30 AM, Charles Hedrick <hedrick at rutgers.edu> wrote:
> 
> I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the same syntax as for krb5.conf
> 
> kdc = https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fservices.cs.rutgers.edu%2FKdcProxy&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=BfTwuAAxnIuu1H0RpVWLHcdUIC%2FE7th8V5Gjf0EMg8g%3D&reserved=0
> 
> I’m not using http_anchor, since we have a commercial cert, and other implementations don’t need us to specify a CA cert.
> 
> The error message says no kdc is reachable.
> 
> On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk <kaduk at mit.edu<mailto:kaduk at mit.edu>> wrote:
> 
> On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote:
> 
> I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use.
> 
> Hmm, could you say a bit more about what version of KfW you're using and
> how you've tried to configure MS-KKDCP?  From the release notes, at least,
> it seems that KfW 4.1 should have this support available in some form.
> 
> -Ben
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=KYGuhWAWrMMoTNtVLcDUzAEXQ46wZFJqi7z1c4S%2FIgc%3D&reserved=0




More information about the Kerberos mailing list