TGS-REP TICKET decrypting problem

somenath saha saha.somenath.88 at gmail.com
Thu Jun 12 02:29:12 EDT 2014 

Danilo,


Ok there is a details about my setup and my project..

1.       1.              I am running an Active Directory domain on a
Windows Server 2012 machine with two Windows (windows server 2012) clients
joined to the domain. Let’s call the domain DOMAIN and the machines DC,
CLIENT-1, and CLIENT-2.

2.       2.             Now CLIENT-1 wants to communicate with CLIENT-2. So
they authenticate each other using Kerberos. Here they can easily
authenticate each other.



In my project I want to implement Kerberos authentication so I take the
AP_REQ packet from CLIENT-2 and now I try to decrypt the TICKET which is
present in AP_REQ packet. I write separate code for Kerberos. I take AS_REP
and TGS_REP packet from CLIENT-2 machine and I try to decrypt enc-part of
them using my code and I got success. Now I want to decrypt the TICKET. I
know all the credential details of CLIENT-2. But I can’t decrypt the TICKET
from AP_REQ message.

-somenath

On Thu, Jun 12, 2014 at 7:25 AM, Danilo Almeida <dalmeida at mit.edu> wrote:

>  Somenath,
>
>
>
> Your description is still very unclear.
>
>
>
> My guess as to what you are describing:
>
> 1.       You are running an Active Directory domain on a Windows Server
> 2012 machine with two Windows (version?) clients joined to the domain.
> Let’s call the domain DOMAIN and the machines DC, CLIENT-1, and CLIENT-2.
>
> 2.       You have a domain user account called U1 at DOMAIN.
>
> 3.       You log into CLIENT-1 as U1 at DOMAIN.
>
> 4.       As U1 at DOMAIN on CLIENT-1, you try to access files over SMB2 on
> CLIENT-2.
>
>
>
> Is my understanding  correct? If so, is this failing somehow? If not,
> please make your scenario clearer.
>
>
>
> - Danilo
>
>
>
> *From:* somenath saha [mailto:saha.somenath.88 at gmail.com]
> *Sent:* Tuesday, June 10, 2014 9:54 PM
> *To:* Danilo Almeida
> *Cc:* Zheng, Kai; Wang Weijun; krbdev at mit.edu
>
> *Subject:* Re: TGS-REP TICKET decrypting problem
>
>
>
> HI all,
>
>
>
> I have three machine. one is used as windows server 2012 where KDC is
> running and also DHCP and DNS is running there. and other two pc is
> connected with this server. Now two client pc want to communicate with each
> other using cifsv2.  Before that they must be authenticate by kerberos.
> everything goes fine. The problem is arise where 2nd client pc want to
> decrypt the ticket which he recived from 1st client pc through AP-REQ
> message. I think 2nd client pc must not communicate again with kdc to get
> his secret key to decrypt the pc. It should be know to him but i'm unable
> to prepare the key as i don't know which credential is used to prepare the
> key. please go through the firs mail in this mail chain to find out the
> user Account credential for 2nd pc. The ticket is encrypted with
> aes256-cts-hmac-sha1-96 algorithm.
>
>
>
> regards
>
> somenath
>
>
>
> On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <dalmeida at mit.edu> wrote:
>
> Somenath,
>
> What is your end-to-end scenario?
>
> - Danilo
>
>
>

More information about the krbdev mailing list