Question about Windows S4U support

JianJun Li jjli at rocketsoftware.com
Wed Nov 8 20:36:11 EST 2023 

Thank you Ken for the valuable feedback.

I'm using latest version V1.21 with its default backend DB. After the test, if all works,  I will try the combination MIT KDC + OpenLDAP then.

There are not so much available materials I can refer to like my case. Sometimes I really doubt Windows S4U API may be not completely compatible with MIT KDC, but based on current investigation, I still can't draw any conclusions. That's why I post comments here.

Regards
Jianjun Li

-----Original Message-----
From: Ken Hornstein <kenh at cmf.nrl.navy.mil>
Sent: Thursday, November 9, 2023 3:17 AM
To: JianJun Li <jjli at rocketsoftware.com>
Cc: kerberos at mit.edu
Subject: Re: Question about Windows S4U support

EXTERNAL EMAIL





I am DEFINITELY not an expert in S4U* nor Windows APIs, but I have looked into this a BIT and I can give you some thoughts.

>Now we wants to switch from Windows AD to MIT KDC. Currently windows
>can be authenticated by MIT KDC without any problem but Windows API
>LSALogonUser() in our application fails.

It should be noted that up front that there are some caveats to MIT Kerberos S4U support.  The specific one that I am aware of is that you cannot use the db2 database (the default) as the KDC backend; you need to use the LDAP KDB module and configure a special attribute called "krbAllowedToDelegateTo" to configure a service principal to permit S4U2Self.  I am not sure this is relevant to this discussion though.

>Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes
>{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
>UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0,
>host/win11client.mylab.com at MYLAB.COM<mailto:host/win11client.mylab.com@
>MYLAB.COM> for host\/win11client.mylab.com at MYLAB.COM, Server not found
>in Kerberos database

It's important to understand that INTERALLY Kerberos principals are represented as a sequence of one or more strings and a realm.  So while you may see a principal in the form of "host/win11client at MYLAB.COM"
that's just the user representation.  Really that's encoded on the wire as the strings "host" and "win11client", and the realm MYLAB.COM.  If MIT Kerberos is displaying that as "host\/win11client at MYLAB.COM", then that means it's getting ONE string for that principal that contains "host/win11client" (the '/' is the traditional separator for strings in a Kerberos principal).  I have no idea why that is happening, but that suggests to me that there is some problem on the client side.

--Ken

================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================

This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.

More information about the Kerberos mailing list