Some tough-to-crack Kerberos case

Uri Simchoni uri at
Thu May 5 08:19:29 UTC 2016

On 05/04/2016 10:53 PM, Uri Simchoni wrote:
> Hi,
> I have a case where my Kerberos TGS requests for ldap are not being
> answered by the Windows (2003R2/2008R2) domain controller. It involves
> an RODC. I have it reproduced in the lab, and also with "vanilla" samba
> 4.3.9 as client (it also happens on pre-security-release versions).
> Opened .
> The peculiar thing is that the TGS is not being answered at all, and if
> it's over TCP, the connection is shut by the server - as if something is
> crashing on the Windows side. That's why I'd like to get more info on
> what happens on the Windows side.
> Does anyone have tips or pointers for debugging/tracing Kerberos on
> Windows? Somewhere where I can open a ticket maybe (is dochelp
> applicable for that stuff?)
> Thanks,
> Uri.
It seems like an ASN-1 issue. The link below mentions this behavior of
not answering the TGS:

"It should be noted that if the TGS-REQ is malformed, e.g. Kvno encoded
with more than 4 bytes, it is possible that the KDC discards the request
without an error indication, for the purpose of mitigating a security

And indeed, the KVNO of 0x9d720001 is encoded as 00 9d 72 00 01, whereas
the KVNO of the TGT in the AS-REP is 9d 71 00 01.

I'll be looking at how to fix this, have to refresh my ASN-1 first...


More information about the samba-technical mailing list