Support for Microsoft Set Password protocol

Paul W. Nelson nelson at
Wed Apr 2 18:17:02 EST 2003

A preliminary test shows that the tcp connection just gets dropped without
any response.  This is much better that the UDP result.  At least you can do
something about this...

Paul W. Nelson
Thursby Software Systems, Inc.

> From: Nicolas Williams <Nicolas.Williams at>
> Date: Wed, 2 Apr 2003 14:51:47 -0800
> To: "Paul W. Nelson" <nelson at>
> Cc: Ken Hornstein <kenh at>, krbdev at MIT.EDU
> Subject: Re: Support for Microsoft Set Password protocol
> What if the client uses TCP?  Does the MS kpasswd service even support
> TCP?  (rfc3244 mentions TCP but does not make TCP support an explicit
> requirement - then again, it is an informational rfc...).
> If the TCP behaviour is more acceptable then negotiation can still be
> done.  Otherwise MS will have to patch their kpasswd service - remember,
> if MS wants to implement v2 then MS will need a way for clients to
> negotiate the protocol version...
> Or we could move kpasswd v2 to a different port number and then
> negotiation would go like this:
> - try v2
> - try v0xff80
> - try v1
> (yuck!)
> Thanks,
> Nico
> On Wed, Apr 02, 2003 at 04:45:54PM -0600, Paul W. Nelson wrote:
>> I hacked the 1.3 alpha code to force the version number to be set to 0x0002.
>> Unfortunately, here is what a Microsoft Server 2003 (their latest) does:
>> 1) The Microsoft KDC does not respond to a change password request with the
>> version set to 0x0002 at all.
>> 2) It puts an error in the system event log (event id 23) with:
>>     The KDC Received invalid messages of type changepassword.
>> This is the worst possible behavior for trying to support both new and old
>> servers from an application (ie: negotiate a version to use).
>> -- 
>> Paul W. Nelson
>> Thursby Software Systems, Inc.

More information about the krbdev mailing list