Some tough-to-crack Kerberos case
Uri Simchoni
uri at samba.org
Thu May 5 08:19:29 UTC 2016
On 05/04/2016 10:53 PM, Uri Simchoni wrote:
> Hi,
>
> I have a case where my Kerberos TGS requests for ldap are not being
> answered by the Windows (2003R2/2008R2) domain controller. It involves
> an RODC. I have it reproduced in the lab, and also with "vanilla" samba
> 4.3.9 as client (it also happens on pre-security-release versions).
> Opened https://bugzilla.samba.org/show_bug.cgi?id=11900 .
>
> The peculiar thing is that the TGS is not being answered at all, and if
> it's over TCP, the connection is shut by the server - as if something is
> crashing on the Windows side. That's why I'd like to get more info on
> what happens on the Windows side.
>
> Does anyone have tips or pointers for debugging/tracing Kerberos on
> Windows? Somewhere where I can open a ticket maybe (is dochelp
> applicable for that stuff?)
>
> Thanks,
> Uri.
>
It seems like an ASN-1 issue. The link below mentions this behavior of
not answering the TGS:
https://blogs.msdn.microsoft.com/openspecification/2011/05/11/notes-on-kerberos-kvno-in-windows-rodc-environment/
"It should be noted that if the TGS-REQ is malformed, e.g. Kvno encoded
with more than 4 bytes, it is possible that the KDC discards the request
without an error indication, for the purpose of mitigating a security
attack."
And indeed, the KVNO of 0x9d720001 is encoded as 00 9d 72 00 01, whereas
the KVNO of the TGT in the AS-REP is 9d 71 00 01.
I'll be looking at how to fix this, have to refresh my ASN-1 first...
Uri.
More information about the samba-technical
mailing list