Vista x86 client cross-realm interop with MIT KDCs

Karl R. Grose karlgrose at berkeley.edu
Fri Oct 13 18:59:11 EDT 2006 

Hello MIT developers,

Microsoft has identified what they believe to be an interop issue
between the Vista x86 client and recent MIT KDCs when operating as part
of an AD-MIT cross-realm scenario. Our CAMPUS.BERKELEY.EDU AD realm
trusts our BERKELEY.EDU MIT realm and has worked fine for years with
WinXP hosts joined to the CAMPUS domain where users are defined as
@BERKELEY.EDU principals and mapped to shadow AD user accounts via
altSecurityIdentities. See Microsoft's analysis of the issue near the
end of the appended excerpt of the report I opened with the Vista Beta team.

--Karl

Karl Grose
UC Berkeley

=======
Feedback ID 224492 Blocking Issue No
Feedback Type Bug Access Restriction Public
Status Active Submission Language English
Opened Date 10/11/2006 11:25:47 PM
Opened By karlgrose

--------------------------------------------------------------------------------

Description  Logons to a domain-joined computer where the user account
exists in an external MIT Kerberos realm fail.
...

Entered by Microsoft on 10/12/2006 at 2:52 PM
first, we just had a report that the build you have does not work well
with older MIT kDCs (older than 1.2xx I think),
can you try the latest fix in mit2.zip.txt?
...

Entered by karlgrose on 10/12/2006 at 6:34 PM
The newer kerberos.dll did not seem to make any difference. the kerb.etl
file has been uploaded to here.
--Karl
...
Entered by karlgrose on 10/13/2006 at 10:09 AM
OK, restored the original kerberos.dll and reran the tracelog command
using a newer version of tracelog. The file is uploaded here as "kerb1.etl".
My understanding is that our KDC is running MIT Kerberos v. 1.4.3 plus
the UMich patches.
...

Entered by Microsoft on 10/13/2006 at 11:43 AM
below is TEXT log decoded from the ETL. it seems that your client at
first sends no preauth (this is expected), then the KDC says preauth is
required, then the client sends the encrypted timestamp as preauth (the
encryption type used is des-cbc-crc), but then the KDC reply is
encrypted using des-cbc-md5.
based on your log, we actually replicated the exact protocol sequence,
but our clients worked fine.

at this point, we would need the sniff/traffic capture to compare the
difference in your setup and ours. thx.

Setting log file to: E:\temp\berkeley\kerb1.etl

Getting guids from E:\temp\berkeley\default.tmf

[0]0280.0E88::10/13/2006-09:56:23.963 [winnt5]LogonUser returned c000010b, 0

[1]0280.0E88::10/13/2006-09:56:23.969 [winnt5]LsaApLogonTerminated
called: 0x0:0x178344

[1]0280.0E88::10/13/2006-09:56:23.969 [winnt5]KerbCreateLogonSession
creating logon session for 0:0x178347

[1]0280.0E88::10/13/2006-09:56:23.970 [winnt5]INSERT logonsess 002CAB40
for 0:0x178347

[1]0280.0E88::10/13/2006-09:56:23.970
[winnt5]KerbGetAuthenticationTicket sending NO preauth

[0]0280.0E88::10/13/2006-09:56:24.191 [winnt5]Failed to unpack KDC reply
as AS: 0x3c

[0]0280.0E88::10/13/2006-09:56:24.191 [winnt5]KerbCallKdc failed: error
0x19, extendedStatus 0,
d:\rtm_edw\ds\security\protocols\kerberos\client2\logonapi.cxx, line 2428

[0]0280.0E88::10/13/2006-09:56:24.231 [winnt5]KerbFindCommonPaEtype
using current password of xxxxxxx at BERKELEY.EDU@(null)

[0]0280.0E88::10/13/2006-09:56:24.232
[winnt5]KerbGetAuthenticationTicket sending preauth enctype 1, length 8,
PrimaryCredentials->PublicKeyCreds 00000000

[0]0280.0E88::10/13/2006-09:56:24.257
[winnt5]KerbGetAuthenticationTicket rekeying 1 -> 3 (preauth not required)

[0]0280.0E88::10/13/2006-09:56:24.270 [winnt5]Kdc returned reply with
encryption type we don't support: 3.
d:\rtm_edw\ds\security\protocols\kerberos\client2\logonapi.cxx, line 3042

[0]0280.0E88::10/13/2006-09:56:24.270 [winnt5]KerbCacheLogonInformation
updating NLP Cache entry of (null)\xxxxxxx at BERKELEY.EDU, flags 0x21
disabling optimized logon...

[0]0280.0E88::10/13/2006-09:56:24.270 [winnt5]KerbCacheLogonInformation
failed to cache credentials: 0x0, 0xc000006d.
d:\rtm_edw\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 3259

[0]0280.0E88::10/13/2006-09:56:24.270 [winnt5]LogonUser: Failed to get
TGT for (null)\xxxxxxx at BERKELEY.EDU : 0xc000006d

[0]0280.0E88::10/13/2006-09:56:24.270 [winnt5]REMOVE logonsess 002CAB40
for 0:0x178347

[0]0280.0E88::10/13/2006-09:56:24.270 [winnt5]LogonUser returned c000006d, 0

[0]0280.0E88::10/13/2006-09:56:24.270 [winnt5]FREE logonsess 002CAB40
for 0:0x178347

[1]0280.0E88::10/13/2006-09:56:50.068 [winnt5]LogonUser returned c000010b, 0

[1]0280.0E88::10/13/2006-09:56:50.121 [winnt5]LsaApLogonTerminated
called: 0x0:0x1787e7

[1]0280.0E88::10/13/2006-09:56:50.122 [winnt5]KerbCreateLogonSession
creating logon session for 0:0x1787eb

[1]0280.0E88::10/13/2006-09:56:50.122 [winnt5]INSERT logonsess 002CAB40
for 0:0x1787eb

[1]0280.0E88::10/13/2006-09:56:50.122 [winnt5]KerbFindCommonPaEtype
using current password of xxxxxxx at CAMPUS.BERKELEY.EDU@(null)

[1]0280.0E88::10/13/2006-09:56:50.122
[winnt5]KerbGetAuthenticationTicket sending preauth enctype 0, length 0,
PrimaryCredentials->PublicKeyCreds 00000000

[1]0280.0E88::10/13/2006-09:56:50.249 [winnt5]Failed to unpack KDC reply
as AS: 0x3c

[1]0280.0E88::10/13/2006-09:56:50.249 [winnt5]KerbCallKdc failed: error
0x19, extendedStatus 0,
d:\rtm_edw\ds\security\protocols\kerberos\client2\logonapi.cxx, line 2428

[1]0280.0E88::10/13/2006-09:56:50.301 [winnt5]KerbFindCommonPaEtype
using current password of xxxxxxx at CAMPUS.BERKELEY.EDU@(null)

[1]0280.0E88::10/13/2006-09:56:50.301
[winnt5]KerbGetAuthenticationTicket sending preauth enctype 23, length
16, PrimaryCredentials->PublicKeyCreds 00000000

[0]0280.0E88::10/13/2006-09:56:50.344 [winnt5]UserName different in
logon session & AS ticket: xxxxxxx at CAMPUS.BERKELEY.EDU vs xxxxxxx

[0]0280.0E88::10/13/2006-09:56:50.344 [winnt5]Domain name is different
in logon session & as ticket: (null) vs CAMPUS.BERKELEY.EDU

[0]0280.0E88::10/13/2006-09:56:50.359 [winnt5]KerbCacheLogonInformation
updating NLP Cache entry of (null)\xxxxxxx at CAMPUS.BERKELEY.EDU, flags 0
<NULL>...

[0]0280.0E88::10/13/2006-09:56:50.403 [winnt5]KerbCreateLogonSession
creating logon session for 0:0x17882c

[0]0280.0E88::10/13/2006-09:56:50.403 [winnt5]INSERT logonsess 002CA9F8
for 0:0x17882c

[1]0280.02E0::10/13/2006-09:56:51.137 [winnt5]KerbFindCommonPaEtype
using current password of xxxxxxx at CAMPUS.BERKELEY.EDU

[1]0280.02E0::10/13/2006-09:56:51.137
[winnt5]KerbGetAuthenticationTicket sending preauth enctype 0, length 0,
PrimaryCredentials->PublicKeyCreds 00000000

[0]0280.02E0::10/13/2006-09:56:51.142 [winnt5]Failed to unpack KDC reply
as AS: 0x3c

[0]0280.02E0::10/13/2006-09:56:51.142 [winnt5]KerbCallKdc failed: error
0x19, extendedStatus 0,
d:\rtm_edw\ds\security\protocols\kerberos\client2\logonapi.cxx, line 2428

[0]0280.02E0::10/13/2006-09:56:51.172 [winnt5]KerbFindCommonPaEtype
using current password of xxxxxxx at CAMPUS.BERKELEY.EDU

[0]0280.02E0::10/13/2006-09:56:51.172
[winnt5]KerbGetAuthenticationTicket sending preauth enctype 23, length
16, PrimaryCredentials->PublicKeyCreds 00000000

[0]0280.02E0::10/13/2006-09:56:51.215 [winnt5]KerbBuildGssChecksum asked
for delegation, but not granted

Event traces dumped to FmtFile.txt

Event Summary dumped to FmtSum.txt

Exit Status: 38


Entered by karlgrose on 10/13/2006 at 12:17 PM
I used Network Monitor on the host to capture traffic from the KDC
to/from the NATed VMware Vista x86 client. This is uploaded here as
"kerberos.cap". The registry settings active are in the BERKELEY.EDU.reg
file previously send with the original report.
--Karl
...
Entered by Microsoft on 10/13/2006 at 2:41 PM
excellent, with the sniff you provided, we have identified this issue:
in frame 4 of sniff, the kdc reply contains a preauth data of type
etype-info2, but the encryption type does not match with the encryption
type of the enc-part in the AS-REP.

this is incorrect according to RFC4120. On page 63, section 5.2.7.5 of
RFC4120, it says:
If ETYPE-INFO2 is sent in an AS-REP, there shall be exactly one
ETYPE-INFO2-ENTRY, and its etype shall match that of the enc-part in
the AS-REP.

Because MIT KDCs do not behave according to the above TEXT of RFC4120,
vista clients bail out.

The question then is why WinXP works with MIT KDCs. this is because
according RFc4120, ETYPE-info2 is sent by the KDC only when the AS
request etype list contains at least one "newer" enctype. As such, the
incorrect etype-info2 is only sent to vista clients because vista has
AES enctypes in the AS request etype list, winXP does not have any newer
entype in the request etype list.

Please report this issue to MIT Kerberos team, we would also like to
request this issue to MIT Kerberos dev in parallel, but we would need
your permission to release the netmon sniffs to MIT kerberos devs to
help them identify the issues.

The workaround is to configure the MIT principal to prefer des-cbc-md5,
right now the MIT KDC is sending des-cbc-crc first.


Entered by karlgrose on 10/13/2006 at 3:12 PM
I will send a report to the MIT Kerberos team and hereby give you
permission to release any information I've provided on this case
including the network capture info uploaded here.
Thanks,

--Karl

Karl Grose
UC Berkeley


How often does this happen?
     always happens

Have you seen this problem before in this product?
     I don't know if this issue existed previously.

Reproduction Steps
     Create a cross-realm trust between an AD realm
(CAMPUS.BERKELEY.EDU) and an external MIT Kerberos realm (BERKELEY.EDU).
Define altSecurityIdentities mapping the external principals to local AD
accounts. Create GPOs to create the registry entries in newly joined
computers to define the external realm for the local computer. All of
this works in production for years with XP clients. Join a Vista host to
the CAMPUS.BERKELEY.EDU domain and attempt to logon as either
"user at BERKELEY.EDU" or "BERKELEY.EDU\user" and receive the wrong
username or password error. Logons to "user at CAMPUS.BERKELEY.EDU" or
CAMPUS\user" work as expected.

Expected Results

     Logons using the BERKELEY.EDU principals succeed as for
CAMPUS.BERKELEY.EDU principals.


Language ID
     9
What product are you filling this report on?
     Longhorn
This install?
     is not an upgrade (a clean install)
Area
     Security
Sub-area
     Winlogon
Build
     5744.16384
Platform
     Microsoft(R) Windows(R) Vista Ultimate
Processor Architecture
     x86 Family 15 Model 2 Stepping 8, GenuineIntel
...
=======

More information about the krbdev mailing list