Question about Windows S4U support

JianJun Li jjli at rocketsoftware.com
Wed Nov 8 09:23:03 EST 2023 

Hi everyone,

We have an application with Windows client + AD domain, for S4USelf, it works well.

In our application, it calls LSALogonUser() to impersonate a user which will use S4USelf by setting up Windows structure KERB_S4U_LOGON.

Now we wants to switch from Windows AD to MIT KDC. Currently windows can be authenticated by MIT KDC without any problem but Windows API LSALogonUser() in our application fails.

Problem 1:
When LSALogonUser() is called, it has following error:

Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0,  host/win11client.mylab.com at MYLAB.COM<mailto:host/win11client.mylab.com at MYLAB.COM> for host\/win11client.mylab.com at MYLAB.COM, Server not found in Kerberos database

In fact,   principle "host/win11client.mylab.com at MYLAB.COM<mailto:host/win11client.mylab.com at MYLAB.COM>" exists.  By Wireshark I can see Windows sends "host/win11client.mylab.com at MYLAB.COM<mailto:host/win11client.mylab.com at MYLAB.COM>"  as sname, KDC converts the sname to host\/win11client.mylab.com at MYLAB.COM.
I have a look at the code but find no parameters or setting can change this behavior.

Problem 2:
Sometimes, AS-REQ and TGS-REQ are all ok in MIT KDC but on Windows, it reports this error in Windows Event Viewer after call LSALogonUser():

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client user in realm MYLAB.COM could not be validated.
 This error is usually caused by domain trust failures; Contact your system administrator.

I also test "kvno -U user" on the same windows machine, and it works.

>From MIT Kerberos document,  I can see S4U can be supported.   My question is that for S4U, does MIT KDC have  interoperability with Windows API?  Any feedback will be greatly appreciated.

I'm a newbie in Kerberos, thanks for your help!

Regards

================================
Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA 02451 ? Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================

This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.

More information about the Kerberos mailing list