MIT Kerberos OTP with Windows

Charles Hedrick hedrick at rutgers.edu
Fri Nov 3 09:55:07 EDT 2017


It works fine in a copy of Ubuntu running in Linux for Windows on the same Windows 10 machine.

> On Nov 3, 2017, at 9:53 AM, Charles Hedrick <hedrick at rutgers.edu> wrote:
> 
> Here’s the conversation using tcpdump on the proxy server. The connection opens, no data is sent in either direction, and KfW closes it.
> 
> In case it matters, KfW is running in Windows 10 Fall Creator’s Update in a VM on a Mac.
> 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
> 09:48:51.655867 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [S], seq 1112026556, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 348866560 ecr 0,sackOK,eol], length 0
> 09:48:51.655986 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [S.], seq 990987710, ack 1112026557, win 28960, options [mss 1460,sackOK,TS val 32546177 ecr 348866560,nop,wscale 7], length 0
> 09:48:51.656291 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
> 09:48:51.656783 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [F.], seq 1, ack 1, win 4117, options [nop,nop,TS val 348866560 ecr 32546177], length 0
> 09:48:51.657145 IP services.cs.rutgers.edu.https > heidelberg.cs.rutgers.edu.64543: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 32546178 ecr 348866560], length 0
> 09:48:51.657401 IP heidelberg.cs.rutgers.edu.64543 > services.cs.rutgers.edu.https: Flags [.], ack 2, win 4117, options [nop,nop,TS val 348866561 ecr 32546178], length 0
> 
> 
>> On Nov 3, 2017, at 9:30 AM, Charles Hedrick <hedrick at rutgers.edu> wrote:
>> 
>> I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the same syntax as for krb5.conf
>> 
>> kdc = https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fservices.cs.rutgers.edu%2FKdcProxy&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=BfTwuAAxnIuu1H0RpVWLHcdUIC%2FE7th8V5Gjf0EMg8g%3D&reserved=0
>> 
>> I’m not using http_anchor, since we have a commercial cert, and other implementations don’t need us to specify a CA cert.
>> 
>> The error message says no kdc is reachable.
>> 
>> On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk <kaduk at mit.edu<mailto:kaduk at mit.edu>> wrote:
>> 
>> On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote:
>> 
>> I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use.
>> 
>> Hmm, could you say a bit more about what version of KfW you're using and
>> how you've tried to configure MS-KKDCP?  From the release notes, at least,
>> it seems that KfW 4.1 should have this support available in some form.
>> 
>> -Ben
>> 
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7Cc5a5c58bfd4c4b5356c508d522bf5ffa%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636453127701447995&sdata=KYGuhWAWrMMoTNtVLcDUzAEXQ46wZFJqi7z1c4S%2FIgc%3D&reserved=0
> 




More information about the Kerberos mailing list