TGS-REP TICKET decrypting problem

[Danilo Almeida]

Somenath,

Your description is still very unclear.

My guess as to what you are describing:

1.       You are running an Active Directory domain on a Windows Server 2012 machine with two Windows (version?) clients joined to the domain. Let’s call the domain DOMAIN and the machines DC, CLIENT-1, and CLIENT-2.

2.       You have a domain user account called U1 at DOMAIN.

3.       You log into CLIENT-1 as U1 at DOMAIN.

4.       As U1 at DOMAIN on CLIENT-1, you try to access files over SMB2 on CLIENT-2.

Is my understanding  correct? If so, is this failing somehow? If not, please make your scenario clearer.

- Danilo

From: somenath saha [mailto:saha.somenath.88 at gmail.com]
Sent: Tuesday, June 10, 2014 9:54 PM
To: Danilo Almeida
Cc: Zheng, Kai; Wang Weijun; krbdev at mit.edu
Subject: Re: TGS-REP TICKET decrypting problem

HI all,

I have three machine. one is used as windows server 2012 where KDC is running and also DHCP and DNS is running there. and other two pc is connected with this server. Now two client pc want to communicate with each other using cifsv2.  Before that they must be authenticate by kerberos. everything goes fine. The problem is arise where 2nd client pc want to decrypt the ticket which he recived from 1st client pc through AP-REQ message. I think 2nd client pc must not communicate again with kdc to get his secret key to decrypt the pc. It should be know to him but i'm unable to prepare the key as i don't know which credential is used to prepare the key. please go through the firs mail in this mail chain to find out the user Account credential for 2nd pc. The ticket is encrypted with aes256-cts-hmac-sha1-96 algorithm.

regards
somenath

On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <dalmeida at mit.edu<mailto:dalmeida at mit.edu>> wrote:
Somenath,

What is your end-to-end scenario?

- Danilo