TGS-REP TICKET decrypting problem
somenath saha
saha.somenath.88 at gmail.com
Fri Jun 13 00:59:11 EDT 2014
Hi Danilo and other,
I forgot to mention something about my setup. I am running an
Active Directory domain on a Windows Server 2012 machine with two Windows
(windows server 2012) clients joined to the domain. In windows server 2012
i create a user "krbtest" and password of this user is "Krbtest2012"
corresponding domain and enctype. now i prepare a key using the user
credential i.e username "krbtest " and its password and using this key i
can decrypt the AS_REP message. but i can't decrypt the TGS_REP ticket
using that key. please help me out and inform me if you need any other
details..
regards,
somenath
On Thu, Jun 12, 2014 at 11:59 AM, somenath saha <saha.somenath.88 at gmail.com>
wrote:
> Danilo,
>
>
> Ok there is a details about my setup and my project..
>
> 1. 1. I am running an Active Directory domain on a
> Windows Server 2012 machine with two Windows (windows server 2012) clients
> joined to the domain. Let’s call the domain DOMAIN and the machines DC,
> CLIENT-1, and CLIENT-2.
>
> 2. 2. Now CLIENT-1 wants to communicate with CLIENT-2.
> So they authenticate each other using Kerberos. Here they can easily
> authenticate each other.
>
>
>
> In my project I want to implement Kerberos authentication so I take the
> AP_REQ packet from CLIENT-2 and now I try to decrypt the TICKET which is
> present in AP_REQ packet. I write separate code for Kerberos. I take AS_REP
> and TGS_REP packet from CLIENT-2 machine and I try to decrypt enc-part of
> them using my code and I got success. Now I want to decrypt the TICKET. I
> know all the credential details of CLIENT-2. But I can’t decrypt the TICKET
> from AP_REQ message.
>
> -somenath
>
> On Thu, Jun 12, 2014 at 7:25 AM, Danilo Almeida <dalmeida at mit.edu> wrote:
>
>> Somenath,
>>
>>
>>
>> Your description is still very unclear.
>>
>>
>>
>> My guess as to what you are describing:
>>
>> 1. You are running an Active Directory domain on a Windows Server
>> 2012 machine with two Windows (version?) clients joined to the domain.
>> Let’s call the domain DOMAIN and the machines DC, CLIENT-1, and CLIENT-2.
>>
>> 2. You have a domain user account called U1 at DOMAIN.
>>
>> 3. You log into CLIENT-1 as U1 at DOMAIN.
>>
>> 4. As U1 at DOMAIN on CLIENT-1, you try to access files over SMB2 on
>> CLIENT-2.
>>
>>
>>
>> Is my understanding correct? If so, is this failing somehow? If not,
>> please make your scenario clearer.
>>
>>
>>
>> - Danilo
>>
>>
>>
>> *From:* somenath saha [mailto:saha.somenath.88 at gmail.com]
>> *Sent:* Tuesday, June 10, 2014 9:54 PM
>> *To:* Danilo Almeida
>> *Cc:* Zheng, Kai; Wang Weijun; krbdev at mit.edu
>>
>> *Subject:* Re: TGS-REP TICKET decrypting problem
>>
>>
>>
>> HI all,
>>
>>
>>
>> I have three machine. one is used as windows server 2012 where KDC is
>> running and also DHCP and DNS is running there. and other two pc is
>> connected with this server. Now two client pc want to communicate with each
>> other using cifsv2. Before that they must be authenticate by kerberos.
>> everything goes fine. The problem is arise where 2nd client pc want to
>> decrypt the ticket which he recived from 1st client pc through AP-REQ
>> message. I think 2nd client pc must not communicate again with kdc to get
>> his secret key to decrypt the pc. It should be know to him but i'm unable
>> to prepare the key as i don't know which credential is used to prepare the
>> key. please go through the firs mail in this mail chain to find out the
>> user Account credential for 2nd pc. The ticket is encrypted with
>> aes256-cts-hmac-sha1-96 algorithm.
>>
>>
>>
>> regards
>>
>> somenath
>>
>>
>>
>> On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <dalmeida at mit.edu> wrote:
>>
>> Somenath,
>>
>> What is your end-to-end scenario?
>>
>> - Danilo
>>
>>
>>
>
>
More information about the krbdev
mailing list