Need help with s4u test program and constrained delegation

diptivs@gmail.com diptivs at gmail.com
Thu Jun 6 03:46:06 EDT 2013 

Hi,

I am trying to test constrained delegation using s4u test [C:\*krb5-1.11.2*
\src\tests\gssapi\t_s4u.c].

All setups are on windows with Active directory as KDC.

*Scenario used:*

Service1: HTTP/srv-2k8r2-3.ad1.com
Service2: smps/srv-2k8r2-2.ad1.com

Service1 is expected to do an delegated authentication for user "
testkrb at AD1.COM" for service2.

*Steps used:*
*On Active Directory:*

   - Created user named spssrv4 for service1
      - Associated the service1 account (spssrv4 ) with a its principal
      name(HTTP/srv-2k8r2-3.ad1.com at AD1.COM), and created a *keytab* file
      using ktpass as: "ktpass -out c:\spssrv4.keytab -princ HTTP/
      srv-2k8r2-3.ad1.com at AD1.COM -ptype KRB5_NT_PRINCIPAL -mapuser spssrv4
      -pass *****"
      - Marked the service accounts as "Trusted for Delegation". Right
      click the service account (spssrv4 ) properties. Click the
“Delegation” tab
      as shown in image below:[image: Inline image 2]
   - Created user named pssrv2 for service2
      - Associated the service2 account (pssrv2 ) with a its principal name(
      smps/srv-2k8r2-2.ad1.com at AD1.COM), and created a *keytab* file using
      ktpass as: "ktpass -out c:\pssrv2.keytab -princ smps/
      srv-2k8r2-2.ad1.com at AD1.COM -ptype KRB5_NT_PRINCIPAL -mapuser pssrv2
      -pass *****"
      - Created user named testkrb as a test user. Added this user in
   Domain Admins group.

*On Client Machine:*
Logged into the machine (srv-2k8r2-3.ad1.com) as user testkrb.
On command prompt executed following commands:

   - kinit -k -t C:\Windows\spssrv4.keytab -f HTTP/srv-2k8r2-3.ad1.com


   - t_s4u.exe p:testkrb at AD1.COM
p:smps/srv-2k8r2-2.ad1.comC:\Windows\spssrv4.keytab


*Errors:*
Below is the output on using debug build:

10:58:18 2284 DllMain DLL_PROCESS_ATTACH
10:58:19 2284 DllMain DLL_THREAD_ATTACH
10:58:19 2772 DllMain DLL_THREAD_ATTACH
Protocol transition tests follow
-----------------------------------

get_plugin_data_sym(authdata_client_0)
init module "mspac", ad_type 128, flags 00000002
init module "constrained-delegation", ad_type 512, flags 00000008
gssint_mecherrmap_map: mapping 2 at 74909D00=krb5-new to 2: err=0
new map: ((2,2 at 0079E758=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74909D00=krb5-new to 100001: err=0
new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new))
gssint_mecherrmap_map: mapping 0 at 74909D0C=krb5-old to 100002: err=0
new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
(100002,0 at 0079E6E8=krb5-old))
gssint_mecherrmap_map: mapping 0 at 74909D14=krb5-microsoft to 100003: err=0
new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
(100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft))
gssint_mecherrmap_map: mapping 0 at 74909D20={ 1 3 6 1 5 2 5 } to 100004: err=0
new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
(100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
(100004,0 at 0079E800={ 1 3 6 15 2 5 }))
gssint_mecherrmap_map: found 0 at 74909D00=krb5-new in map as 100001
gssint_mecherrmap_map: found 0 at 74909D0C=krb5-old in map as 100002
gssint_mecherrmap_map: found 0 at 74909D14=krb5-microsoft in map as 100003
gssint_mecherrmap_map: found 0 at 74909D20={ 1 3 6 1 5 2 5 } in map as 100004
10:58:29 2284   Running on Windows NT using secure mode
10:58:29 2284 find_server Looking for server; ccs_request_IfHandle:0x528CA8
10:58:29 2284 authenticate_server entry
10:58:29 2284   Server authenticated!
10:58:29 2284 ccapi_connect is listening ...
10:58:29 2232 DllMain DLL_THREAD_ATTACH
10:58:29 2284   Server FOUND!
10:58:29 2772 ccapi_listen (null)!
10:58:29 2428 DllMain DLL_THREAD_ATTACH
10:58:29 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
10:58:29 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
10:58:29 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
03:46:19 2428 DllMain DLL_THREAD_DETACH
03:46:19 2232 DllMain DLL_THREAD_DETACH
03:46:19 2284 cci_context_change_time_sync noticed server changed
(server_was_running = 0; server_is_running = 1; g_change_time = 0;
g_change_time_offset = 1
03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
03:46:19 2284 _cci_ipc_send() got 221 at .\ccapi_ipc.c: 92
03:46:19 2284 cci_ipc_send_no_launch() got 221 at .\ccapi_ipc.c: 118
03:46:19 2284 ccapi_context_open_ccache() got 221 at .\ccapi_context.c: 408
krb5_gss_save_error_info(39756044, ctx=0079F0C0)
krb5_gss_save_error_info(39756044, ctx=0079F0C0) saving: Credential cache
is empty
gss_krb5_save_error_string_nocopy(39756044, Credential cache is empty)
p=003B5958 SUCCESS
03:46:19 1068 DllMain DLL_THREAD_ATTACH
03:46:19 2516 DllMain DLL_THREAD_ATTACH
gssint_mecherrmap_map: mapping 39756044 at 74909D00=krb5-new to 39756044: err=0
new map: ((2,2 at 0079E758=krb5-new), (100001,0 at 0079E7C8=krb5-new),
(100002,0 at 0079E6E8=krb5-old), (100003,0 at 0079E720=krb5-microsoft),
(100004,0 at 0079E800={ 1 3 6 15 2 5 }), (39756044,39756044 at 0079E838=krb5-new))
gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may
provide more information
krb5_gss_get_error_message(39756044, p=003B5958) FOUND! ->
003B29F0/Credential cache is empty
gss_acquire_cred_impersonate_name: Credential cache is empty
03:46:19 2284 DllMain DLL_PROCESS_DETACH


I am not sure what is going wrong here.

*Actual usage and problem:*
*Working configuration:*
In our product setup all is going well if the delegation setup is as below:

   - Mark the service1 accounts as "*Trusted for Delegation*". Right click
   the service account (spssrv4) properties. Click the “Delegation” tab.
   Further  Select the second option ”Trust this user for delegation to any
   service(Kerberos only)”


*Not Working configuration:*
But if this setting is changed to:

   - Mark the service1 accounts as "*Trusted for Delegation*". Right click
   the service account (spssrv4) properties. Click the “Delegation” tab.
   Further 1)    Select the third option “Trust this user for delegation to
   specified service”. Then select “Use Kerberos only” radio button and add
   the corresponding service principal name (smps/
   srv-2k8r2-2.ad1.com at AD1.COM)

*Error:*
This fails with as error as below:
"Failed to create delegated GSSAPI token on behalf of HTTP/
srv-2k8r2-3.ad1.com at AD1.COM for smps at 2k8r2-2.AD1.com: Minor Status=100008,
Major Status=851968, Message=Unknown code FF 168"


Any suggestions would be of great help. thanks.

Thank you
Regards,
Dipti

More information about the krbdev mailing list