e-data field in KRB-ERROR from microsoft clients when ERR_SKEW is issued
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Sep 18 12:23:59 EDT 2006
On Sunday, September 17, 2006 11:31:11 PM -0400 JC Ferguson <jc at acopia.com>
wrote:
>
> Hi - When a WindowsXP client who's clock is skewed beyond the configured
> toleration connects to a Microsoft Windows 2000 server, the return is a
> KRB-ERROR message with all the fixings. However, I cannot interpret the
> e-data field. I am consistently getting a byte sequence of :
>
> ac 09 04 07 30 05 a1 03 02 01 02
>
> which I intepret as
>
> [12] {
> OCTET STRING
> 30 05 a1 03 02 01 02
> }
Yes; that's how e-data should be encoded, per RFC 4121 section 5.9.1. The
meaning of the octet-string depends on the error-code and, unless the code
is KDC_ERR_PREAUTH_REQUIRED, on the implementation. You didn't tell us
what the error code is, though one might assume from the rest of your
message that you saw KRB_AP_ERR_SKEW there.
> and this appears to contain another sequence of bytes:
>
> SEQUENCE {
> [1] {
> 02 01 02
> }
> }
But you haven't finished decoding. 02 01 02 is an INTEGER with value 2.
This sequence looks like a PA-DATA with type pa-enc-timestamp and no value.
In other words, almost (but not quite) exactly like what the e-data for
KDC_ERR_PREAUTH_REQUIRED should look like.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the krbdev
mailing list