TGS granting
moore moore
moore_chestnut at yahoo.ie
Thu Nov 8 04:59:45 EST 2018
Hello Derek,
After some further research, if I understand a bit better, the AP request between proxy and service is being delivered over SPNEGO.It is incorrect to think that it would have been explicitly visible in the trace between proxy and KDC, since it will be in the HTTP request from proxy to server.
Maybe the following is the reason I get so many 401 reauths from the server:
>From 3.2.2. Generation of a KRB_AP_REQ Message in RFC4120
"Authenticators MUST NOT be re-used and SHOULD be rejected if replayed to a server."
So if I understand based on your previous info also, would the following be on the correct path:
- cache the service ticket- on reauths, generate new authenticator and reuse a cached service ticket- somehow encapsulate the service ticket and NEW authenticator into AP REQ- deliver over SPNEGO to the server on kerberised server.- thus eliminating the need for excessive round trips from proxy to KDC
If this is practical, I will try figure out the kerb library API.
Appreciate your help.
On Tuesday 6 November 2018, 23:12:00 GMT, moore moore <moore_chestnut at yahoo.ie> wrote:
Hello Derek,Thanks again for the helpful information..
Time skew is not present and the service ticket is cached.
OK, so at the moment, everytime there is a 401 from the kerberised windows server, the application process (on the proxy), goes to the KDC.
In wireshark, this always shows as a TGS-REQ/TGS-RSP
I never see a AP-REQ/AP-RSP in the trace/wireshark.BUT, but looking the kerberos library logs, I see it mentioned there.And then I checked tcpdump and I see AP-REQ as a value in some of the TGS-REQs.
Sample kerb log below.
Here there is
- AS-REQ and pre auth requested for proxy at test.com user.
- AS-REQ and RSP for proxy at test.com user.
- Sample TGS-REQ/RSP for testuser at test.com ( can see AP-REQ) in log.
This is between proxy and KDC.So not sure, if I can get some data/token from this? and use between proxy and service.Which is over HTTP SPNEGO.
Is the sample code/api documentation you could refer me to so I could try understand how to build and use the AP-REQ?
Thank you for your time.
[14791] 1538167075.224560: Getting initial credentials for proxy at test.com
[14791] 1538167075.225189: Looked up etypes in keytab: rc4-hmac
[14791] 1538167075.225577: Sending request (177 bytes) to TEST.COM
[14791] 1538167075.225915: Resolving hostname 172.21.162.211
[14791] 1538167075.226408: Sending initial UDP request to dgram 172.21.162.211:88
[14791] 1538167075.227366: Received answer (214 bytes) from dgram 172.21.162.211:88
[14791] 1538167075.228299: Response was not from master KDC
[14791] 1538167075.228471: Received error from KDC: -1765328359/Additional pre-authentication required
[14791] 1538167075.228653: Processing preauth types: 16, 15, 19, 2
[14791] 1538167075.228829: Selected etype info: etype rc4-hmac, salt "", params ""
[14791] 1538167075.229021: Retrieving proxy at test.com from FILE:/etc/krb5.keytab (vno 0, enctype rc4-hmac) with result: 0/Success
[14791] 1538167075.229146: AS key obtained for encrypted timestamp: rc4-hmac/2163
[14791] 1538167075.229309: Encrypted timestamp (for 1538167075.859690): plain 301AA011180F32303138303932383230333735355AA10502030D1E2A, encrypted 717BCF6554C1F514AB6D86FB08D00E9BEA7EF1B56C6996DA76E0AB5D9812D5E0C4233E6DC88A7EEA6582FA5FDC22ADB86F95D178
[14791] 1538167075.229428: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[14791] 1538167075.229520: Produced preauth for next request: 2
[14791] 1538167075.229625: Sending request (251 bytes) to TEST.COM
[14791] 1538167075.229750: Resolving hostname 172.21.162.211
[14791] 1538167075.229923: Sending initial UDP request to dgram 172.21.162.211:88
[14791] 1538167075.230849: Received answer (98 bytes) from dgram 172.21.162.211:88
[14791] 1538167075.231488: Response was not from master KDC
[14791] 1538167075.231613: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[14791] 1538167075.231736: Request or response is too big for UDP; retrying with TCP
[14791] 1538167075.231832: Sending request (251 bytes) to TEST.COM (tcp only)
[14791] 1538167075.231927: Resolving hostname 172.21.162.211
[14791] 1538167075.232095: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.232374: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.233225: Received answer (1548 bytes) from stream 172.21.162.211:88
[14791] 1538167075.233701: Response was not from master KDC
[14791] 1538167075.233829: Salt derived from principal: TEST.COMproxy
[14791] 1538167075.233933: AS key determined by preauth: rc4-hmac/2163
[14791] 1538167075.234083: Decrypted AS reply; session key is: rc4-hmac/FAF6
[14791] 1538167075.234202: FAST negotiation: unavailable
[14791] 1538167075.234328: Initializing FILE:/tmp/krb5cc_0 with default princ proxy at test.com
[14791] 1538167075.234524: Removing proxy at test.com -> krbtgt/TEST.COM at TEST.COM from FILE:/tmp/krb5cc_0
[14791] 1538167075.234629: Storing proxy at test.com -> krbtgt/TEST.COM at TEST.COM in FILE:/tmp/krb5cc_0
[14791] 1538167075.234885: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/TEST.COM at TEST.COM: pa_type: 2
[14791] 1538167075.235039: Removing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: from FILE:/tmp/krb5cc_0
[14791] 1538167075.235143: Storing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: in FILE:/tmp/krb5cc_0
[14791] 1538167075.241199: Getting credentials testuser at TEST.COM -> proxy at test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.241446: Retrieving testuser at TEST.COM -> proxy at test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.241571: Getting credentials proxy at test.com -> krbtgt/TEST.COM at TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.241755: Retrieving proxy at test.com -> krbtgt/TEST.COM at TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.241886: Get cred via TGT krbtgt/TEST.COM at TEST.COM after requesting proxy at test.com (canonicalize on)
[14791] 1538167075.241986: Generated subkey for TGS request: rc4-hmac/86EA
[14791] 1538167075.242096: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.242257: Encoding request body and padata into FAST request
[14791] 1538167075.242433: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.242534: Resolving hostname 172.21.162.211
[14791] 1538167075.242729: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.243002: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.244768: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.245459: Response was not from master KDC
[14791] 1538167075.245556: Decoding FAST response
[14791] 1538167075.245748: FAST reply key: rc4-hmac/F069
[14791] 1538167075.245871: TGS reply is for testuser at TEST.COM -> proxy at test.com with session key rc4-hmac/AEF0
[14791] 1538167075.245967: Got cred; 0/Success
[14791] 1538167075.246061: Resolving unique ccache of type MEMORY
[14791] 1538167075.246144: Initializing MEMORY:sAA7vI4 with default princ testuser at TEST.COM
[14791] 1538167075.246270: Removing proxy at test.com -> krbtgt/TEST.COM at TEST.COM from MEMORY:sAA7vI4
[14791] 1538167075.246347: Storing proxy at test.com -> krbtgt/TEST.COM at TEST.COM in MEMORY:sAA7vI4
[14791] 1538167075.246444: Removing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: from MEMORY:sAA7vI4
[14791] 1538167075.246520: Storing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: in MEMORY:sAA7vI4
[14791] 1538167075.246613: Storing config in MEMORY:sAA7vI4 for : proxy_impersonator: proxy at test.com
[14791] 1538167075.246737: Removing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from MEMORY:sAA7vI4
[14791] 1538167075.246813: Storing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: in MEMORY:sAA7vI4
[14791] 1538167075.246891: Removing testuser at TEST.COM -> proxy at test.com from MEMORY:sAA7vI4
[14791] 1538167075.246963: Storing testuser at TEST.COM -> proxy at test.com in MEMORY:sAA7vI4
[14791] 1538167075.247319: Getting credentials testuser at TEST.COM -> proxy at test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.247489: Retrieving testuser at TEST.COM -> proxy at test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.247576: Getting credentials proxy at test.com -> krbtgt/TEST.COM at TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.247758: Retrieving proxy at test.com -> krbtgt/TEST.COM at TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.247863: Get cred via TGT krbtgt/TEST.COM at TEST.COM after requesting proxy at test.com (canonicalize on)
[14791] 1538167075.247953: Generated subkey for TGS request: rc4-hmac/F169
[14791] 1538167075.248043: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.248184: Encoding request body and padata into FAST request
[14791] 1538167075.248353: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.248448: Resolving hostname 172.21.162.211
[14791] 1538167075.248605: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.248931: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.250602: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.251358: Response was not from master KDC
[14791] 1538167075.251478: Decoding FAST response
[14791] 1538167075.251629: FAST reply key: rc4-hmac/E50D
[14791] 1538167075.251805: TGS reply is for testuser at TEST.COM -> proxy at test.com with session key rc4-hmac/F1B4
[14791] 1538167075.251901: Got cred; 0/Success
[14791] 1538167075.251999: Resolving unique ccache of type MEMORY
[14791] 1538167075.252080: Initializing MEMORY:2zEVGbO with default princ testuser at TEST.COM
[14791] 1538167075.252202: Removing proxy at test.com -> krbtgt/TEST.COM at TEST.COM from MEMORY:2zEVGbO
[14791] 1538167075.252276: Storing proxy at test.com -> krbtgt/TEST.COM at TEST.COM in MEMORY:2zEVGbO
[14791] 1538167075.252371: Removing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: from MEMORY:2zEVGbO
[14791] 1538167075.252448: Storing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: in MEMORY:2zEVGbO
[14791] 1538167075.252538: Storing config in MEMORY:2zEVGbO for : proxy_impersonator: proxy at test.com
[14791] 1538167075.252614: Removing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from MEMORY:2zEVGbO
[14791] 1538167075.252721: Storing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: in MEMORY:2zEVGbO
[14791] 1538167075.252802: Removing testuser at TEST.COM -> proxy at test.com from MEMORY:2zEVGbO
[14791] 1538167075.252873: Storing testuser at TEST.COM -> proxy at test.com in MEMORY:2zEVGbO
[14791] 1538167075.253224: Getting credentials testuser at TEST.COM -> proxy at test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.253394: Retrieving testuser at TEST.COM -> proxy at test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.253482: Getting credentials proxy at test.com -> krbtgt/TEST.COM at TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.253634: Retrieving proxy at test.com -> krbtgt/TEST.COM at TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.253798: Get cred via TGT krbtgt/TEST.COM at TEST.COM after requesting proxy at test.com (canonicalize on)
[14791] 1538167075.253893: Generated subkey for TGS request: rc4-hmac/0FA7
[14791] 1538167075.253985: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.254128: Encoding request body and padata into FAST request
[14791] 1538167075.254285: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.254380: Resolving hostname 172.21.162.211
[14791] 1538167075.254531: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.254767: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.256452: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.257177: Response was not from master KDC
[14791] 1538167075.257272: Decoding FAST response
[14791] 1538167075.257422: FAST reply key: rc4-hmac/F998
[14791] 1538167075.257538: TGS reply is for testuser at TEST.COM -> proxy at test.com with session key rc4-hmac/6958
[14791] 1538167075.257633: Got cred; 0/Success
[14791] 1538167075.257759: Resolving unique ccache of type MEMORY
[14791] 1538167075.257845: Initializing MEMORY:mhj20wl with default princ testuser at TEST.COM
[14791] 1538167075.257968: Removing proxy at test.com -> krbtgt/TEST.COM at TEST.COM from MEMORY:mhj20wl
[14791] 1538167075.258044: Storing proxy at test.com -> krbtgt/TEST.COM at TEST.COM in MEMORY:mhj20wl
[14791] 1538167075.258140: Removing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: from MEMORY:mhj20wl
[14791] 1538167075.258224: Storing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: in MEMORY:mhj20wl
[14791] 1538167075.258330: Storing config in MEMORY:mhj20wl for : proxy_impersonator: proxy at test.com
[14791] 1538167075.258407: Removing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from MEMORY:mhj20wl
[14791] 1538167075.258478: Storing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: in MEMORY:mhj20wl
[14791] 1538167075.258552: Removing testuser at TEST.COM -> proxy at test.com from MEMORY:mhj20wl
[14791] 1538167075.258623: Storing testuser at TEST.COM -> proxy at test.com in MEMORY:mhj20wl
[14791] 1538167075.258994: Getting credentials testuser at TEST.COM -> proxy at test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.259163: Retrieving testuser at TEST.COM -> proxy at test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.259251: Getting credentials proxy at test.com -> krbtgt/TEST.COM at TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.259403: Retrieving proxy at test.com -> krbtgt/TEST.COM at TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.259503: Get cred via TGT krbtgt/TEST.COM at TEST.COM after requesting proxy at test.com (canonicalize on)
[14791] 1538167075.259593: Generated subkey for TGS request: rc4-hmac/1E3B
[14791] 1538167075.259709: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.259860: Encoding request body and padata into FAST request
[14791] 1538167075.260017: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.260113: Resolving hostname 172.21.162.211
[14791] 1538167075.260264: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.260492: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.262157: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.263296: Response was not from master KDC
[14791] 1538167075.263396: Decoding FAST response
[14791] 1538167075.263545: FAST reply key: rc4-hmac/C06A
[14791] 1538167075.263659: TGS reply is for testuser at TEST.COM -> proxy at test.com with session key rc4-hmac/A45B
[14791] 1538167075.263783: Got cred; 0/Success
[14791] 1538167075.263873: Resolving unique ccache of type MEMORY
[14791] 1538167075.263951: Initializing MEMORY:KH07w0C with default princ testuser at TEST.COM
[14791] 1538167075.264079: Removing proxy at test.com -> krbtgt/TEST.COM at TEST.COM from MEMORY:KH07w0C
[14791] 1538167075.264156: Storing proxy at test.com -> krbtgt/TEST.COM at TEST.COM in MEMORY:KH07w0C
[14791] 1538167075.264252: Removing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: from MEMORY:KH07w0C
[14791] 1538167075.264320: Storing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: in MEMORY:KH07w0C
[14791] 1538167075.264398: Storing config in MEMORY:KH07w0C for : proxy_impersonator: proxy at test.com
[14791] 1538167075.264464: Removing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from MEMORY:KH07w0C
[14791] 1538167075.264523: Storing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: in MEMORY:KH07w0C
[14791] 1538167075.264588: Removing testuser at TEST.COM -> proxy at test.com from MEMORY:KH07w0C
[14791] 1538167075.264648: Storing testuser at TEST.COM -> proxy at test.com in MEMORY:KH07w0C
[14791] 1538167075.265171: Getting credentials testuser at TEST.COM -> proxy at test.com using ccache MEMORY:sAA7vI4
[14791] 1538167075.265276: Retrieving testuser at TEST.COM -> proxy at test.com from MEMORY:sAA7vI4 with result: 0/Success
[14791] 1538167075.265424: Creating authenticator for testuser at TEST.COM -> proxy at test.com, seqnum 774377519, subkey rc4-hmac/46AC, session key rc4-hmac/AEF0
[14791] 1538167075.265952: Decrypted AP-REQ with server principal proxy at test.com: rc4-hmac/2163
[14791] 1538167075.266046: AP-REQ ticket: testuser at TEST.COM -> proxy at test.com, session key rc4-hmac/AEF0
[14791] 1538167075.266387: Negotiated enctype based on authenticator: rc4-hmac
[14791] 1538167075.266462: Authenticator contains subkey: rc4-hmac/46AC
[14791] 1538167075.266554: Resolving unique ccache of type MEMORY
[14791] 1538167075.266631: Initializing MEMORY:narfKr4 with default princ testuser at TEST.COM
[14791] 1538167075.266831: Removing proxy at test.com -> krbtgt/TEST.COM at TEST.COM from MEMORY:narfKr4
[14791] 1538167075.266921: Storing proxy at test.com -> krbtgt/TEST.COM at TEST.COM in MEMORY:narfKr4
[14791] 1538167075.267043: Removing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: from MEMORY:narfKr4
[14791] 1538167075.267137: Storing proxy at test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM at X-CACHECONF: in MEMORY:narfKr4
[14791] 1538167075.267223: Storing config in MEMORY:narfKr4 for : proxy_impersonator: proxy at test.com
[14791] 1538167075.267292: Removing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from MEMORY:narfKr4
[14791] 1538167075.267352: Storing testuser at TEST.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: in MEMORY:narfKr4
[14791] 1538167075.267419: Removing testuser at TEST.COM -> proxy at test.com from MEMORY:narfKr4
[14791] 1538167075.267478: Storing testuser at TEST.COM -> proxy at test.com in MEMORY:narfKr4
[14791] 1538167075.268760: Retrieving testuser at TEST.COM -> proxy at test.com from MEMORY:narfKr4 with result: 0/Success
[14791] 1538167075.268838: Getting credentials proxy at test.com -> http/testserver.TEST.COM at TEST.COM using ccache MEMORY:narfKr4
[14791] 1538167075.268942: Retrieving proxy at test.com -> krbtgt/TEST.COM at TEST.COM from MEMORY:narfKr4 with result: 0/Success
[14791] 1538167075.269007: Starting with TGT for client realm: proxy at test.com -> krbtgt/TEST.COM at TEST.COM
[14791] 1538167075.269065: Requesting tickets for http/testserver.TEST.COM at TEST.COM, referrals on
[14791] 1538167075.269139: Generated subkey for TGS request: rc4-hmac/68E3
[14791] 1538167075.269221: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.269369: Encoding request body and padata into FAST request
[14791] 1538167075.269577: Sending request (4026 bytes) to TEST.COM
[14791] 1538167075.269685: Resolving hostname 172.21.162.211
[14791] 1538167075.269846: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.270110: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.272750: Received answer (1932 bytes) from stream 172.21.162.211:88
[14791] 1538167075.273519: Response was not from master KDC
[14791] 1538167075.273623: Decoding FAST response
[14791] 1538167075.273844: FAST reply key: rc4-hmac/25D0
[14791] 1538167075.273980: TGS reply is for testuser at TEST.COM -> http/testserver.TEST.COM at TEST.COM with session key aes256-cts/81DC
[14791] 1538167075.274086: TGS request result: 0/Success
[14791] 1538167075.274161: Received creds for desired service http/testserver.TEST.COM at TEST.COM
[14791] 1538167075.274236: Removing testuser at TEST.COM -> http/testserver.TEST.COM at TEST.COM from MEMORY:narfKr4
[14791] 1538167075.274310: Storing testuser at TEST.COM -> http/testserver.TEST.COM at TEST.COM in MEMORY:narfKr4
[14791] 1538167075.274464: Creating authenticator for testuser at TEST.COM -> http/testserver.TEST.COM at TEST.COM, seqnum 1049723237, subkey aes256-cts/323A, session key aes256-cts/81DC
[14791] 1538167075.275185: Destroying ccache MEMORY:narfKr4
[14791] 1538167075.275320: Destroying ccache MEMORY:sAA7vI4
[14791] 1538167075.275477: Destroying ccache MEMORY:2zEVGbO
[14791] 1538167075.275631: Destroying ccache MEMORY:mhj20wl
[14791] 1538167075.275851: Destroying ccache MEMORY:KH07w0C
On Monday 5 November 2018, 15:56:23 GMT, Derek Atkins <derek at ihtfp.com> wrote:
moore moore <moore_chestnut at yahoo.ie> writes:
> This is really helpful and makes alot of sense. Thank you for the detailed
> info.
>
> So in relation to:
> "4) If the service requests updated authentication (401) the proxy can
> refresh by re-running the Application authentication protocol using the
> cached service ticket. This can continue until the service ticket
> expires."
>
> By "Application authentication protocol", do you mean TGS_REQ/RSP to the KDC?
No, I mean the AP_REQ/AP_REP between the Kerberos Client and the
Kerberized Server.
> On the proxy, there is an application process ( using the kerberos lib) and
> the TGT is cached in kerberos credential cache. All this is fine.
> The service ticket is cached in an application level process.
Right, that would be caching the TGS_REQ/TGS_REP from the KDC. This
caching should be valid for ~24 hours, depending on how long the service
ticket is valid for.
> But I get very little use out of the cached service ticket, due to the demand
> and frequency of the 401s.
> When the 401 happens, ( in relation to your point 4), a series of TGS_REQ/RSP
> result on the wire between proxy and KDC. If I just use the cached ticket
> here, then it is just a crazy loop of 401s. That's why application process
> goes to KDC for new service ticket, which the kerberized service will accept,
> but then will quickly issue 401s again, thus resulting in having to go back to
> KDC again for new service ticket.
Have you verified that the service ticket is still valid?
Is there a time skew between the proxy (kerberos client) and the service?
> Is this the correct and only way for the proxy to "refresh" the service
> ticket?
No, you should be able to re-use the Service Ticket and just issue a new
AP_REQ/AP_REP between the proxy and the service. Unless the problem is
that the proxy is caching *THIS* -- in which case yes, you're kind of
screwed. Note that the AP_REQ/AP_REP is between the client and service,
and NOT with the KDC, so there is no reason that the client would need
to cache this.
> Thank you.
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the krbdev
mailing list