TGS-REP TICKET decrypting problem

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

TGS-REP TICKET decrypting problem

somenath saha
Hi,

      I need some information regarding the ticket creation in KDC.

      Assume my pc’s host name is “SOMENATH-PC” & it has 3 user accounts.
They are:



                        *USER NAME                        PASSWORD *

i)             Administrator                        administrator

ii)            Somenath                             somenath

iii)           Guest                                     guest



Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
<http://SOMENATH-PC.xyz.com>” *as server name (Service & Host) in
KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket which is
encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.



Now my question is that in order to encrypt the enc-part of the ticket what
credential’s is used by KDC as *“SOMENATH-PC”* has three user accounts
which is mentioned above. Please provide me some information regarding my
question.



Regards,

Somenath
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
Hi,

      I need some information regarding the ticket creation in KDC.

      Assume my pc’s host name is “SOMENATH-PC” & it has 3 user accounts.
They are:



                        *USER NAME                        PASSWORD*

i)             Administrator                        administrator

ii)            Somenath                             somenath

iii)           Guest                                     guest



Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
<http://somenath-pc.xyz.com/>” *as server name (Service & Host) in
KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket which is
encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.



Now my question is that in order to encrypt the enc-part of the ticket what
credential’s is used by KDC as *“SOMENATH-PC”* has three user accounts
which is mentioned above. Please provide me some information regarding my
question.



Regards,

Somenath


On Thu, May 15, 2014 at 12:56 PM, somenath saha
<[hidden email]>wrote:

> Hi,
>
>       I need some information regarding the ticket creation in KDC.
>
>       Assume my pc’s host name is “SOMENATH-PC” & it has 3 user accounts.
> They are:
>
>
>
>                         *USER NAME                        PASSWORD *
>
> i)             Administrator                        administrator
>
> ii)            Somenath                             somenath
>
> iii)           Guest                                     guest
>
>
>
> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> <http://SOMENATH-PC.xyz.com>” *as server name (Service & Host) in
> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket which is
> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
>
>
>
> Now my question is that in order to encrypt the enc-part of the ticket
> what credential’s is used by KDC as *“SOMENATH-PC”* has three user
> accounts which is mentioned above. Please provide me some information
> regarding my question.
>
>
>
> Regards,
>
> Somenath
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

Weijun Wang
The KDC is using the secret key of the computer itself, which is not the same as any of those user accounts. Assuming your KDC is a Windows Server, you will see "Users and Computers" in the Active Directory Domain Services manager, which means each user and computer is a different principal.

--Max


On May 20, 2014, at 17:09, somenath saha <[hidden email]> wrote:

> Hi,
>
>      I need some information regarding the ticket creation in KDC.
>
>      Assume my pc’s host name is “SOMENATH-PC” & it has 3 user accounts.
> They are:
>
>
>
>                        *USER NAME                        PASSWORD*
>
> i)             Administrator                        administrator
>
> ii)            Somenath                             somenath
>
> iii)           Guest                                     guest
>
>
>
> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> <http://somenath-pc.xyz.com/>” *as server name (Service & Host) in
> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket which is
> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
>
>
>
> Now my question is that in order to encrypt the enc-part of the ticket what
> credential’s is used by KDC as *“SOMENATH-PC”* has three user accounts
> which is mentioned above. Please provide me some information regarding my
> question.
>
>
>
> Regards,
>
> Somenath
>
>
> On Thu, May 15, 2014 at 12:56 PM, somenath saha
> <[hidden email]>wrote:
>
>> Hi,
>>
>>      I need some information regarding the ticket creation in KDC.
>>
>>      Assume my pc’s host name is “SOMENATH-PC” & it has 3 user accounts.
>> They are:
>>
>>
>>
>>                        *USER NAME                        PASSWORD *
>>
>> i)             Administrator                        administrator
>>
>> ii)            Somenath                             somenath
>>
>> iii)           Guest                                     guest
>>
>>
>>
>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
>> <http://SOMENATH-PC.xyz.com>” *as server name (Service & Host) in
>> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket which is
>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
>>
>>
>>
>> Now my question is that in order to encrypt the enc-part of the ticket
>> what credential’s is used by KDC as *“SOMENATH-PC”* has three user
>> accounts which is mentioned above. Please provide me some information
>> regarding my question.
>>
>>
>>
>> Regards,
>>
>> Somenath
>>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Fwd: TGS-REP TICKET decrypting problem

somenath saha
Hi,

you told me that KDC is using secret key of the computer itself to encrypt
the ticket. How do we find this secret key in-order to decrypt the ticket?
please provide some details about that how to find out the machine secret
key.  its urgent. I became stuck in this point for some week.

regards,
somenath


>
>
>
> On Tue, May 20, 2014 at 4:17 PM, somenath saha <[hidden email]
> > wrote:
>
>>
>>
>> ---------- Forwarded message ----------
>> From: Wang Weijun <[hidden email]>
>> Date: Tue, May 20, 2014 at 3:25 PM
>> Subject: Re: TGS-REP TICKET decrypting problem
>> To: somenath saha <[hidden email]>
>> Cc: "[hidden email]" <[hidden email]>
>>
>>
>> The KDC is using the secret key of the computer itself, which is not the
>> same as any of those user accounts. Assuming your KDC is a Windows Server,
>> you will see "Users and Computers" in the Active Directory Domain Services
>> manager, which means each user and computer is a different principal.
>>
>> --Max
>>
>>
>> On May 20, 2014, at 17:09, somenath saha <[hidden email]>
>> wrote:
>>
>> > Hi,
>> >
>> >      I need some information regarding the ticket creation in KDC.
>> >
>> >      Assume my pc’s host name is “SOMENATH-PC” & it has 3 user accounts.
>> > They are:
>> >
>> >
>> >
>> >                        *USER NAME                        PASSWORD*
>> >
>> > i)             Administrator                        administrator
>> >
>> > ii)            Somenath                             somenath
>> >
>> > iii)           Guest                                     guest
>> >
>> >
>> >
>> > Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
>> > <http://somenath-pc.xyz.com/>” *as server name (Service & Host) in
>> > KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket
>> which is
>> > encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
>> >
>> >
>> >
>> > Now my question is that in order to encrypt the enc-part of the ticket
>> what
>> > credential’s is used by KDC as *“SOMENATH-PC”* has three user accounts
>> > which is mentioned above. Please provide me some information regarding
>> my
>> > question.
>> >
>> >
>> >
>> > Regards,
>> >
>> > Somenath
>> >
>> >
>> > On Thu, May 15, 2014 at 12:56 PM, somenath saha
>> > <[hidden email]>wrote:
>> >
>> >> Hi,
>> >>
>> >>      I need some information regarding the ticket creation in KDC.
>> >>
>> >>      Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
>> accounts.
>> >> They are:
>> >>
>> >>
>> >>
>> >>                        *USER NAME                        PASSWORD *
>> >>
>> >> i)             Administrator                        administrator
>> >>
>> >> ii)            Somenath                             somenath
>> >>
>> >> iii)           Guest                                     guest
>> >>
>> >>
>> >>
>> >> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
>> >> <http://SOMENATH-PC.xyz.com>” *as server name (Service & Host) in
>> >> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket
>> which is
>> >> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
>> >>
>> >>
>> >>
>> >> Now my question is that in order to encrypt the enc-part of the ticket
>> >> what credential’s is used by KDC as *“SOMENATH-PC”* has three user
>> >> accounts which is mentioned above. Please provide me some information
>> >> regarding my question.
>> >>
>> >>
>> >>
>> >> Regards,
>> >>
>> >> Somenath
>> >>
>> > _______________________________________________
>> > krbdev mailing list             [hidden email]
>> > https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
>>
>>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

Weijun Wang
Windows hides the keys in a "protected storage". After some googling, I find a page showing how to reset or extract those keys. Hope it helps (I haven't tried it).

  http://wiki.wireshark.org/Kerberos

--max

On Jun 10, 2014, at 12:12, somenath saha <[hidden email]> wrote:

> Hi,
>
> you told me that KDC is using secret key of the computer itself to encrypt
> the ticket. How do we find this secret key in-order to decrypt the ticket?
> please provide some details about that how to find out the machine secret
> key.  its urgent. I became stuck in this point for some week.
>
> regards,
> somenath
>
>
>>
>>
>>
>> On Tue, May 20, 2014 at 4:17 PM, somenath saha <[hidden email]
>>> wrote:
>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Wang Weijun <[hidden email]>
>>> Date: Tue, May 20, 2014 at 3:25 PM
>>> Subject: Re: TGS-REP TICKET decrypting problem
>>> To: somenath saha <[hidden email]>
>>> Cc: "[hidden email]" <[hidden email]>
>>>
>>>
>>> The KDC is using the secret key of the computer itself, which is not the
>>> same as any of those user accounts. Assuming your KDC is a Windows Server,
>>> you will see "Users and Computers" in the Active Directory Domain Services
>>> manager, which means each user and computer is a different principal.
>>>
>>> --Max
>>>
>>>
>>> On May 20, 2014, at 17:09, somenath saha <[hidden email]>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>>     I need some information regarding the ticket creation in KDC.
>>>>
>>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user accounts.
>>>> They are:
>>>>
>>>>
>>>>
>>>>                       *USER NAME                        PASSWORD*
>>>>
>>>> i)             Administrator                        administrator
>>>>
>>>> ii)            Somenath                             somenath
>>>>
>>>> iii)           Guest                                     guest
>>>>
>>>>
>>>>
>>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
>>>> <http://somenath-pc.xyz.com/>” *as server name (Service & Host) in
>>>> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket
>>> which is
>>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
>>>>
>>>>
>>>>
>>>> Now my question is that in order to encrypt the enc-part of the ticket
>>> what
>>>> credential’s is used by KDC as *“SOMENATH-PC”* has three user accounts
>>>> which is mentioned above. Please provide me some information regarding
>>> my
>>>> question.
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Somenath
>>>>
>>>>
>>>> On Thu, May 15, 2014 at 12:56 PM, somenath saha
>>>> <[hidden email]>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>     I need some information regarding the ticket creation in KDC.
>>>>>
>>>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
>>> accounts.
>>>>> They are:
>>>>>
>>>>>
>>>>>
>>>>>                       *USER NAME                        PASSWORD *
>>>>>
>>>>> i)             Administrator                        administrator
>>>>>
>>>>> ii)            Somenath                             somenath
>>>>>
>>>>> iii)           Guest                                     guest
>>>>>
>>>>>
>>>>>
>>>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
>>>>> <http://SOMENATH-PC.xyz.com>” *as server name (Service & Host) in
>>>>> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket
>>> which is
>>>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
>>>>>
>>>>>
>>>>>
>>>>> Now my question is that in order to encrypt the enc-part of the ticket
>>>>> what credential’s is used by KDC as *“SOMENATH-PC”* has three user
>>>>> accounts which is mentioned above. Please provide me some information
>>>>> regarding my question.
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Somenath
>>>>>
>>>> _______________________________________________
>>>> krbdev mailing list             [hidden email]
>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>>>
>>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
thanks Wang. but it did not help me as ktexport doesn't work. please
provide me some other solution. i'm stuck yet.

regards,
somenath


On Tue, Jun 10, 2014 at 10:15 AM, Wang Weijun <[hidden email]>
wrote:

> Windows hides the keys in a "protected storage". After some googling, I
> find a page showing how to reset or extract those keys. Hope it helps (I
> haven't tried it).
>
>   http://wiki.wireshark.org/Kerberos
>
> --max
>
> On Jun 10, 2014, at 12:12, somenath saha <[hidden email]>
> wrote:
>
> > Hi,
> >
> > you told me that KDC is using secret key of the computer itself to
> encrypt
> > the ticket. How do we find this secret key in-order to decrypt the
> ticket?
> > please provide some details about that how to find out the machine secret
> > key.  its urgent. I became stuck in this point for some week.
> >
> > regards,
> > somenath
> >
> >
> >>
> >>
> >>
> >> On Tue, May 20, 2014 at 4:17 PM, somenath saha <
> [hidden email]
> >>> wrote:
> >>
> >>>
> >>>
> >>> ---------- Forwarded message ----------
> >>> From: Wang Weijun <[hidden email]>
> >>> Date: Tue, May 20, 2014 at 3:25 PM
> >>> Subject: Re: TGS-REP TICKET decrypting problem
> >>> To: somenath saha <[hidden email]>
> >>> Cc: "[hidden email]" <[hidden email]>
> >>>
> >>>
> >>> The KDC is using the secret key of the computer itself, which is not
> the
> >>> same as any of those user accounts. Assuming your KDC is a Windows
> Server,
> >>> you will see "Users and Computers" in the Active Directory Domain
> Services
> >>> manager, which means each user and computer is a different principal.
> >>>
> >>> --Max
> >>>
> >>>
> >>> On May 20, 2014, at 17:09, somenath saha <[hidden email]>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>>     I need some information regarding the ticket creation in KDC.
> >>>>
> >>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
> accounts.
> >>>> They are:
> >>>>
> >>>>
> >>>>
> >>>>                       *USER NAME                        PASSWORD*
> >>>>
> >>>> i)             Administrator                        administrator
> >>>>
> >>>> ii)            Somenath                             somenath
> >>>>
> >>>> iii)           Guest                                     guest
> >>>>
> >>>>
> >>>>
> >>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> >>>> <http://somenath-pc.xyz.com/>” *as server name (Service & Host) in
> >>>> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket
> >>> which is
> >>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
> >>>>
> >>>>
> >>>>
> >>>> Now my question is that in order to encrypt the enc-part of the ticket
> >>> what
> >>>> credential’s is used by KDC as *“SOMENATH-PC”* has three user accounts
> >>>> which is mentioned above. Please provide me some information regarding
> >>> my
> >>>> question.
> >>>>
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Somenath
> >>>>
> >>>>
> >>>> On Thu, May 15, 2014 at 12:56 PM, somenath saha
> >>>> <[hidden email]>wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>>     I need some information regarding the ticket creation in KDC.
> >>>>>
> >>>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
> >>> accounts.
> >>>>> They are:
> >>>>>
> >>>>>
> >>>>>
> >>>>>                       *USER NAME                        PASSWORD *
> >>>>>
> >>>>> i)             Administrator                        administrator
> >>>>>
> >>>>> ii)            Somenath                             somenath
> >>>>>
> >>>>> iii)           Guest                                     guest
> >>>>>
> >>>>>
> >>>>>
> >>>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> >>>>> <http://SOMENATH-PC.xyz.com>” *as server name (Service & Host) in
> >>>>> KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a ticket
> >>> which is
> >>>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Now my question is that in order to encrypt the enc-part of the
> ticket
> >>>>> what credential’s is used by KDC as *“SOMENATH-PC”* has three user
> >>>>> accounts which is mentioned above. Please provide me some information
> >>>>> regarding my question.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Somenath
> >>>>>
> >>>> _______________________________________________
> >>>> krbdev mailing list             [hidden email]
> >>>> https://mailman.mit.edu/mailman/listinfo/krbdev
> >>>
> >>>
> >>>
> >>>
> >>
> > _______________________________________________
> > krbdev mailing list             [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: TGS-REP TICKET decrypting problem

drankye
Hi Somenath,

When you send TGS_REQ with a tgt to request a service ticket for a service/server, you must specify the service/server principal in TGS_REQ. KDC will query the backend for the encryption key of the specified service principal and use the encryption key to encrypt enc-part of the issued service ticket.

Hope this helps.

Kai

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of somenath saha
Sent: Tuesday, June 10, 2014 3:17 PM
To: Wang Weijun; [hidden email]
Subject: Re: TGS-REP TICKET decrypting problem

thanks Wang. but it did not help me as ktexport doesn't work. please provide me some other solution. i'm stuck yet.

regards,
somenath


On Tue, Jun 10, 2014 at 10:15 AM, Wang Weijun <[hidden email]>
wrote:

> Windows hides the keys in a "protected storage". After some googling,
> I find a page showing how to reset or extract those keys. Hope it
> helps (I haven't tried it).
>
>   http://wiki.wireshark.org/Kerberos
>
> --max
>
> On Jun 10, 2014, at 12:12, somenath saha <[hidden email]>
> wrote:
>
> > Hi,
> >
> > you told me that KDC is using secret key of the computer itself to
> encrypt
> > the ticket. How do we find this secret key in-order to decrypt the
> ticket?
> > please provide some details about that how to find out the machine
> > secret key.  its urgent. I became stuck in this point for some week.
> >
> > regards,
> > somenath
> >
> >
> >>
> >>
> >>
> >> On Tue, May 20, 2014 at 4:17 PM, somenath saha <
> [hidden email]
> >>> wrote:
> >>
> >>>
> >>>
> >>> ---------- Forwarded message ----------
> >>> From: Wang Weijun <[hidden email]>
> >>> Date: Tue, May 20, 2014 at 3:25 PM
> >>> Subject: Re: TGS-REP TICKET decrypting problem
> >>> To: somenath saha <[hidden email]>
> >>> Cc: "[hidden email]" <[hidden email]>
> >>>
> >>>
> >>> The KDC is using the secret key of the computer itself, which is
> >>> not
> the
> >>> same as any of those user accounts. Assuming your KDC is a Windows
> Server,
> >>> you will see "Users and Computers" in the Active Directory Domain
> Services
> >>> manager, which means each user and computer is a different principal.
> >>>
> >>> --Max
> >>>
> >>>
> >>> On May 20, 2014, at 17:09, somenath saha
> >>> <[hidden email]>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>>     I need some information regarding the ticket creation in KDC.
> >>>>
> >>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
> accounts.
> >>>> They are:
> >>>>
> >>>>
> >>>>
> >>>>                       *USER NAME                        PASSWORD*
> >>>>
> >>>> i)             Administrator                        administrator
> >>>>
> >>>> ii)            Somenath                             somenath
> >>>>
> >>>> iii)           Guest                                     guest
> >>>>
> >>>>
> >>>>
> >>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> >>>> <http://somenath-pc.xyz.com/>” *as server name (Service & Host)
> >>>> in KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a
> >>>> ticket
> >>> which is
> >>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
> >>>>
> >>>>
> >>>>
> >>>> Now my question is that in order to encrypt the enc-part of the
> >>>> ticket
> >>> what
> >>>> credential’s is used by KDC as *“SOMENATH-PC”* has three user
> >>>> accounts which is mentioned above. Please provide me some
> >>>> information regarding
> >>> my
> >>>> question.
> >>>>
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Somenath
> >>>>
> >>>>
> >>>> On Thu, May 15, 2014 at 12:56 PM, somenath saha
> >>>> <[hidden email]>wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>>     I need some information regarding the ticket creation in KDC.
> >>>>>
> >>>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
> >>> accounts.
> >>>>> They are:
> >>>>>
> >>>>>
> >>>>>
> >>>>>                       *USER NAME                        PASSWORD *
> >>>>>
> >>>>> i)             Administrator                        administrator
> >>>>>
> >>>>> ii)            Somenath                             somenath
> >>>>>
> >>>>> iii)           Guest                                     guest
> >>>>>
> >>>>>
> >>>>>
> >>>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> >>>>> <http://SOMENATH-PC.xyz.com>” *as server name (Service & Host)
> >>>>> in KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a
> >>>>> ticket
> >>> which is
> >>>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Now my question is that in order to encrypt the enc-part of the
> ticket
> >>>>> what credential’s is used by KDC as *“SOMENATH-PC”* has three
> >>>>> user accounts which is mentioned above. Please provide me some
> >>>>> information regarding my question.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Somenath
> >>>>>
> >>>> _______________________________________________
> >>>> krbdev mailing list             [hidden email]
> >>>> https://mailman.mit.edu/mailman/listinfo/krbdev
> >>>
> >>>
> >>>
> >>>
> >>
> > _______________________________________________
> > krbdev mailing list             [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

Weijun Wang
In reply to this post by somenath saha
I don't have a better answer. Maybe you can try the other tools mentioned on the page.

--max

On Jun 10, 2014, at 15:17, somenath saha <[hidden email]> wrote:

> thanks Wang. but it did not help me as ktexport doesn't work. please provide me some other solution. i'm stuck yet.
>
> regards,
> somenath
>
>
> On Tue, Jun 10, 2014 at 10:15 AM, Wang Weijun <[hidden email]> wrote:
> Windows hides the keys in a "protected storage". After some googling, I find a page showing how to reset or extract those keys. Hope it helps (I haven't tried it).
>
>   http://wiki.wireshark.org/Kerberos
>
> --max


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: TGS-REP TICKET decrypting problem

drankye
In reply to this post by drankye
Somenath,

I might misunderstand what you want to do. Is it in windows application layer that you send a TGS-REQ? If so you're sure to know which service/server principal to use since you need to specify it and thus you may also know and be able to access the srvtab or keytab for the service as such is a deployment step. But if you're meaning it for windows system built-in account, then I think Weijun is right and the credential/key for the system account is hided from application layer. I don't know how to access it either. But would you make sure is that your intention? Thanks.

Kai

-----Original Message-----
From: Zheng, Kai
Sent: Tuesday, June 10, 2014 3:34 PM
To: somenath saha; Wang Weijun; [hidden email]
Subject: RE: TGS-REP TICKET decrypting problem

Hi Somenath,

When you send TGS_REQ with a tgt to request a service ticket for a service/server, you must specify the service/server principal in TGS_REQ. KDC will query the backend for the encryption key of the specified service principal and use the encryption key to encrypt enc-part of the issued service ticket.

Hope this helps.

Kai

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of somenath saha
Sent: Tuesday, June 10, 2014 3:17 PM
To: Wang Weijun; [hidden email]
Subject: Re: TGS-REP TICKET decrypting problem

thanks Wang. but it did not help me as ktexport doesn't work. please provide me some other solution. i'm stuck yet.

regards,
somenath


On Tue, Jun 10, 2014 at 10:15 AM, Wang Weijun <[hidden email]>
wrote:

> Windows hides the keys in a "protected storage". After some googling,
> I find a page showing how to reset or extract those keys. Hope it
> helps (I haven't tried it).
>
>   http://wiki.wireshark.org/Kerberos
>
> --max
>
> On Jun 10, 2014, at 12:12, somenath saha <[hidden email]>
> wrote:
>
> > Hi,
> >
> > you told me that KDC is using secret key of the computer itself to
> encrypt
> > the ticket. How do we find this secret key in-order to decrypt the
> ticket?
> > please provide some details about that how to find out the machine
> > secret key.  its urgent. I became stuck in this point for some week.
> >
> > regards,
> > somenath
> >
> >
> >>
> >>
> >>
> >> On Tue, May 20, 2014 at 4:17 PM, somenath saha <
> [hidden email]
> >>> wrote:
> >>
> >>>
> >>>
> >>> ---------- Forwarded message ----------
> >>> From: Wang Weijun <[hidden email]>
> >>> Date: Tue, May 20, 2014 at 3:25 PM
> >>> Subject: Re: TGS-REP TICKET decrypting problem
> >>> To: somenath saha <[hidden email]>
> >>> Cc: "[hidden email]" <[hidden email]>
> >>>
> >>>
> >>> The KDC is using the secret key of the computer itself, which is
> >>> not
> the
> >>> same as any of those user accounts. Assuming your KDC is a Windows
> Server,
> >>> you will see "Users and Computers" in the Active Directory Domain
> Services
> >>> manager, which means each user and computer is a different principal.
> >>>
> >>> --Max
> >>>
> >>>
> >>> On May 20, 2014, at 17:09, somenath saha
> >>> <[hidden email]>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>>     I need some information regarding the ticket creation in KDC.
> >>>>
> >>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
> accounts.
> >>>> They are:
> >>>>
> >>>>
> >>>>
> >>>>                       *USER NAME                        PASSWORD*
> >>>>
> >>>> i)             Administrator                        administrator
> >>>>
> >>>> ii)            Somenath                             somenath
> >>>>
> >>>> iii)           Guest                                     guest
> >>>>
> >>>>
> >>>>
> >>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> >>>> <http://somenath-pc.xyz.com/>” *as server name (Service & Host)
> >>>> in KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a
> >>>> ticket
> >>> which is
> >>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
> >>>>
> >>>>
> >>>>
> >>>> Now my question is that in order to encrypt the enc-part of the
> >>>> ticket
> >>> what
> >>>> credential’s is used by KDC as *“SOMENATH-PC”* has three user
> >>>> accounts which is mentioned above. Please provide me some
> >>>> information regarding
> >>> my
> >>>> question.
> >>>>
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Somenath
> >>>>
> >>>>
> >>>> On Thu, May 15, 2014 at 12:56 PM, somenath saha
> >>>> <[hidden email]>wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>>     I need some information regarding the ticket creation in KDC.
> >>>>>
> >>>>>     Assume my pc’s host name is “SOMENATH-PC” & it has 3 user
> >>> accounts.
> >>>>> They are:
> >>>>>
> >>>>>
> >>>>>
> >>>>>                       *USER NAME                        PASSWORD *
> >>>>>
> >>>>> i)             Administrator                        administrator
> >>>>>
> >>>>> ii)            Somenath                             somenath
> >>>>>
> >>>>> iii)           Guest                                     guest
> >>>>>
> >>>>>
> >>>>>
> >>>>> Now in TGS_REQ message I send “*cifs/SOMENATH-PC.xyz.com
> >>>>> <http://SOMENATH-PC.xyz.com>” *as server name (Service & Host)
> >>>>> in KDC_REQ_BODY. After receiving TGS_REQ message KDC prepare a
> >>>>> ticket
> >>> which is
> >>>>> encrypted by using server’s secret key i.e. SOMENATH-PC’s secret key.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Now my question is that in order to encrypt the enc-part of the
> ticket
> >>>>> what credential’s is used by KDC as *“SOMENATH-PC”* has three
> >>>>> user accounts which is mentioned above. Please provide me some
> >>>>> information regarding my question.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Somenath
> >>>>>
> >>>> _______________________________________________
> >>>> krbdev mailing list             [hidden email]
> >>>> https://mailman.mit.edu/mailman/listinfo/krbdev
> >>>
> >>>
> >>>
> >>>
> >>
> > _______________________________________________
> > krbdev mailing list             [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

Weijun Wang
In reply to this post by Weijun Wang
Good news.

The NTDSXtract tool described on the Wireshark wiki works. I am now able to decrypt an initial TGT and can confirm the session key inside is the same as the one in the AS-REP.

My AD is Windows 2008 R2.

--Max

On Jun 10, 2014, at 16:16, Wang Weijun <[hidden email]> wrote:

> I don't have a better answer. Maybe you can try the other tools mentioned on the page.
>
> --max
>
> On Jun 10, 2014, at 15:17, somenath saha <[hidden email]> wrote:
>
>> thanks Wang. but it did not help me as ktexport doesn't work. please provide me some other solution. i'm stuck yet.
>>
>> regards,
>> somenath
>>
>>
>> On Tue, Jun 10, 2014 at 10:15 AM, Wang Weijun <[hidden email]> wrote:
>> Windows hides the keys in a "protected storage". After some googling, I find a page showing how to reset or extract those keys. Hope it helps (I haven't tried it).
>>
>>  http://wiki.wireshark.org/Kerberos
>>
>> --max
>


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
thnaks max,

    currently i try to use NTDSXtract tool. I think esedbexport works only
in UNIX. am i right max?



On Tue, Jun 10, 2014 at 4:36 PM, Wang Weijun <[hidden email]> wrote:

> Good news.
>
> The NTDSXtract tool described on the Wireshark wiki works. I am now able
> to decrypt an initial TGT and can confirm the session key inside is the
> same as the one in the AS-REP.
>
> My AD is Windows 2008 R2.
>
> --Max
>
> On Jun 10, 2014, at 16:16, Wang Weijun <[hidden email]> wrote:
>
> > I don't have a better answer. Maybe you can try the other tools
> mentioned on the page.
> >
> > --max
> >
> > On Jun 10, 2014, at 15:17, somenath saha <[hidden email]>
> wrote:
> >
> >> thanks Wang. but it did not help me as ktexport doesn't work. please
> provide me some other solution. i'm stuck yet.
> >>
> >> regards,
> >> somenath
> >>
> >>
> >> On Tue, Jun 10, 2014 at 10:15 AM, Wang Weijun <[hidden email]>
> wrote:
> >> Windows hides the keys in a "protected storage". After some googling, I
> find a page showing how to reset or extract those keys. Hope it helps (I
> haven't tried it).
> >>
> >>  http://wiki.wireshark.org/Kerberos
> >>
> >> --max
> >
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

Weijun Wang

On Jun 10, 2014, at 19:11, somenath saha <[hidden email]> wrote:

> currently i try to use NTDSXtract tool. I think esedbexport works only in UNIX. am i right max?

Maybe. I compile/run esedbexport and run dskeytab.py on a Mac. I suppose Linux should also works.

--Max


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
thanks guys,

 It will help me to find out the secret key of server. but my initial
question is not that. i want to know that how to create this secret key. i
mean, in order to create this secret key what argument is needed. Because i
want to decrypt the ticket (which i got from TGS_REP) from server side and
my question is that how to prepare this secret key (what is the
credential?) and how i got this credential...  help me out guys

regards
somenath


On Tue, Jun 10, 2014 at 4:49 PM, Wang Weijun <[hidden email]> wrote:

>
> On Jun 10, 2014, at 19:11, somenath saha <[hidden email]>
> wrote:
>
> > currently i try to use NTDSXtract tool. I think esedbexport works only
> in UNIX. am i right max?
>
> Maybe. I compile/run esedbexport and run dskeytab.py on a Mac. I suppose
> Linux should also works.
>
> --Max
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: TGS-REP TICKET decrypting problem

drankye
Perhaps you can export the keys for the server principal into keytab file if you can access the KDC. Many application servers use keytab to get the decryption key when validates client ticket. I'm not sure there're existing tool that allows to repeat the process buried in Kerberos implementation to create the exact keys. It also depends on what encryption type you're using.

Kai

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of somenath saha
Sent: Tuesday, June 10, 2014 9:56 PM
To: Wang Weijun
Cc: [hidden email]
Subject: Re: TGS-REP TICKET decrypting problem

thanks guys,

 It will help me to find out the secret key of server. but my initial question is not that. i want to know that how to create this secret key. i mean, in order to create this secret key what argument is needed. Because i want to decrypt the ticket (which i got from TGS_REP) from server side and my question is that how to prepare this secret key (what is the
credential?) and how i got this credential...  help me out guys

regards
somenath


On Tue, Jun 10, 2014 at 4:49 PM, Wang Weijun <[hidden email]> wrote:

>
> On Jun 10, 2014, at 19:11, somenath saha <[hidden email]>
> wrote:
>
> > currently i try to use NTDSXtract tool. I think esedbexport works
> > only
> in UNIX. am i right max?
>
> Maybe. I compile/run esedbexport and run dskeytab.py on a Mac. I
> suppose Linux should also works.
>
> --Max
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: TGS-REP TICKET decrypting problem

Danilo Almeida-2
Somenath,

What is your end-to-end scenario?

- Danilo


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
HI all,

I have three machine. one is used as windows server 2012 where KDC is
running and also DHCP and DNS is running there. and other two pc is
connected with this server. Now two client pc want to communicate with each
other using cifsv2.  Before that they must be authenticate by kerberos.
everything goes fine. The problem is arise where 2nd client pc want to
decrypt the ticket which he recived from 1st client pc through AP-REQ
message. I think 2nd client pc must not communicate again with kdc to get
his secret key to decrypt the pc. It should be know to him but i'm unable
to prepare the key as i don't know which credential is used to prepare the
key. please go through the firs mail in this mail chain to find out the
user Account credential for 2nd pc. The ticket is encrypted with
aes256-cts-hmac-sha1-96 algorithm.

regards
somenath


On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <[hidden email]> wrote:

> Somenath,
>
> What is your end-to-end scenario?
>
> - Danilo
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: TGS-REP TICKET decrypting problem

Danilo Almeida-2
Somenath,

Your description is still very unclear.

My guess as to what you are describing:

1.       You are running an Active Directory domain on a Windows Server 2012 machine with two Windows (version?) clients joined to the domain. Let’s call the domain DOMAIN and the machines DC, CLIENT-1, and CLIENT-2.

2.       You have a domain user account called U1@DOMAIN.

3.       You log into CLIENT-1 as U1@DOMAIN.

4.       As U1@DOMAIN on CLIENT-1, you try to access files over SMB2 on CLIENT-2.

Is my understanding  correct? If so, is this failing somehow? If not, please make your scenario clearer.

- Danilo

From: somenath saha [mailto:[hidden email]]
Sent: Tuesday, June 10, 2014 9:54 PM
To: Danilo Almeida
Cc: Zheng, Kai; Wang Weijun; [hidden email]
Subject: Re: TGS-REP TICKET decrypting problem

HI all,

I have three machine. one is used as windows server 2012 where KDC is running and also DHCP and DNS is running there. and other two pc is connected with this server. Now two client pc want to communicate with each other using cifsv2.  Before that they must be authenticate by kerberos. everything goes fine. The problem is arise where 2nd client pc want to decrypt the ticket which he recived from 1st client pc through AP-REQ message. I think 2nd client pc must not communicate again with kdc to get his secret key to decrypt the pc. It should be know to him but i'm unable to prepare the key as i don't know which credential is used to prepare the key. please go through the firs mail in this mail chain to find out the user Account credential for 2nd pc. The ticket is encrypted with aes256-cts-hmac-sha1-96 algorithm.

regards
somenath

On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <[hidden email]<mailto:[hidden email]>> wrote:
Somenath,

What is your end-to-end scenario?

- Danilo

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
Danilo,


Ok there is a details about my setup and my project..

1.       1.              I am running an Active Directory domain on a
Windows Server 2012 machine with two Windows (windows server 2012) clients
joined to the domain. Let’s call the domain DOMAIN and the machines DC,
CLIENT-1, and CLIENT-2.

2.       2.             Now CLIENT-1 wants to communicate with CLIENT-2. So
they authenticate each other using Kerberos. Here they can easily
authenticate each other.



In my project I want to implement Kerberos authentication so I take the
AP_REQ packet from CLIENT-2 and now I try to decrypt the TICKET which is
present in AP_REQ packet. I write separate code for Kerberos. I take AS_REP
and TGS_REP packet from CLIENT-2 machine and I try to decrypt enc-part of
them using my code and I got success. Now I want to decrypt the TICKET. I
know all the credential details of CLIENT-2. But I can’t decrypt the TICKET
from AP_REQ message.

-somenath

On Thu, Jun 12, 2014 at 7:25 AM, Danilo Almeida <[hidden email]> wrote:

>  Somenath,
>
>
>
> Your description is still very unclear.
>
>
>
> My guess as to what you are describing:
>
> 1.       You are running an Active Directory domain on a Windows Server
> 2012 machine with two Windows (version?) clients joined to the domain.
> Let’s call the domain DOMAIN and the machines DC, CLIENT-1, and CLIENT-2.
>
> 2.       You have a domain user account called U1@DOMAIN.
>
> 3.       You log into CLIENT-1 as U1@DOMAIN.
>
> 4.       As U1@DOMAIN on CLIENT-1, you try to access files over SMB2 on
> CLIENT-2.
>
>
>
> Is my understanding  correct? If so, is this failing somehow? If not,
> please make your scenario clearer.
>
>
>
> - Danilo
>
>
>
> *From:* somenath saha [mailto:[hidden email]]
> *Sent:* Tuesday, June 10, 2014 9:54 PM
> *To:* Danilo Almeida
> *Cc:* Zheng, Kai; Wang Weijun; [hidden email]
>
> *Subject:* Re: TGS-REP TICKET decrypting problem
>
>
>
> HI all,
>
>
>
> I have three machine. one is used as windows server 2012 where KDC is
> running and also DHCP and DNS is running there. and other two pc is
> connected with this server. Now two client pc want to communicate with each
> other using cifsv2.  Before that they must be authenticate by kerberos.
> everything goes fine. The problem is arise where 2nd client pc want to
> decrypt the ticket which he recived from 1st client pc through AP-REQ
> message. I think 2nd client pc must not communicate again with kdc to get
> his secret key to decrypt the pc. It should be know to him but i'm unable
> to prepare the key as i don't know which credential is used to prepare the
> key. please go through the firs mail in this mail chain to find out the
> user Account credential for 2nd pc. The ticket is encrypted with
> aes256-cts-hmac-sha1-96 algorithm.
>
>
>
> regards
>
> somenath
>
>
>
> On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <[hidden email]> wrote:
>
> Somenath,
>
> What is your end-to-end scenario?
>
> - Danilo
>
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
Hi Danilo and other,

       I forgot to mention something about my setup.  I am running an
Active Directory domain on a Windows Server 2012 machine with two Windows
(windows server 2012) clients joined to the domain. In windows server 2012
i create a user "krbtest" and password of this user is "Krbtest2012"
corresponding domain and enctype. now i prepare a key using the user
credential i.e username "krbtest " and its password and using this key i
can decrypt the AS_REP message. but i can't decrypt the TGS_REP ticket
using that key. please help me out and inform me if you need any other
details..

regards,
somenath



On Thu, Jun 12, 2014 at 11:59 AM, somenath saha <[hidden email]>
wrote:

> Danilo,
>
>
> Ok there is a details about my setup and my project..
>
> 1.       1.              I am running an Active Directory domain on a
> Windows Server 2012 machine with two Windows (windows server 2012) clients
> joined to the domain. Let’s call the domain DOMAIN and the machines DC,
> CLIENT-1, and CLIENT-2.
>
> 2.       2.             Now CLIENT-1 wants to communicate with CLIENT-2.
> So they authenticate each other using Kerberos. Here they can easily
> authenticate each other.
>
>
>
> In my project I want to implement Kerberos authentication so I take the
> AP_REQ packet from CLIENT-2 and now I try to decrypt the TICKET which is
> present in AP_REQ packet. I write separate code for Kerberos. I take AS_REP
> and TGS_REP packet from CLIENT-2 machine and I try to decrypt enc-part of
> them using my code and I got success. Now I want to decrypt the TICKET. I
> know all the credential details of CLIENT-2. But I can’t decrypt the TICKET
> from AP_REQ message.
>
> -somenath
>
> On Thu, Jun 12, 2014 at 7:25 AM, Danilo Almeida <[hidden email]> wrote:
>
>>  Somenath,
>>
>>
>>
>> Your description is still very unclear.
>>
>>
>>
>> My guess as to what you are describing:
>>
>> 1.       You are running an Active Directory domain on a Windows Server
>> 2012 machine with two Windows (version?) clients joined to the domain.
>> Let’s call the domain DOMAIN and the machines DC, CLIENT-1, and CLIENT-2.
>>
>> 2.       You have a domain user account called U1@DOMAIN.
>>
>> 3.       You log into CLIENT-1 as U1@DOMAIN.
>>
>> 4.       As U1@DOMAIN on CLIENT-1, you try to access files over SMB2 on
>> CLIENT-2.
>>
>>
>>
>> Is my understanding  correct? If so, is this failing somehow? If not,
>> please make your scenario clearer.
>>
>>
>>
>> - Danilo
>>
>>
>>
>> *From:* somenath saha [mailto:[hidden email]]
>> *Sent:* Tuesday, June 10, 2014 9:54 PM
>> *To:* Danilo Almeida
>> *Cc:* Zheng, Kai; Wang Weijun; [hidden email]
>>
>> *Subject:* Re: TGS-REP TICKET decrypting problem
>>
>>
>>
>> HI all,
>>
>>
>>
>> I have three machine. one is used as windows server 2012 where KDC is
>> running and also DHCP and DNS is running there. and other two pc is
>> connected with this server. Now two client pc want to communicate with each
>> other using cifsv2.  Before that they must be authenticate by kerberos.
>> everything goes fine. The problem is arise where 2nd client pc want to
>> decrypt the ticket which he recived from 1st client pc through AP-REQ
>> message. I think 2nd client pc must not communicate again with kdc to get
>> his secret key to decrypt the pc. It should be know to him but i'm unable
>> to prepare the key as i don't know which credential is used to prepare the
>> key. please go through the firs mail in this mail chain to find out the
>> user Account credential for 2nd pc. The ticket is encrypted with
>> aes256-cts-hmac-sha1-96 algorithm.
>>
>>
>>
>> regards
>>
>> somenath
>>
>>
>>
>> On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <[hidden email]> wrote:
>>
>> Somenath,
>>
>> What is your end-to-end scenario?
>>
>> - Danilo
>>
>>
>>
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: TGS-REP TICKET decrypting problem

somenath saha
In reply to this post by somenath saha
hi danilo and other

I forgot to mention something about my setup.  I am running an Active
Directory domain on a Windows Server 2012 machine with two Windows (windows
server 2012) clients joined to the domain. In windows server 2012 i create
a user "krbtest" and password of this user is "Krbtest2012". now i prepare
a key using the user credential i.e username "krbtest " , its password
and corresponding
domain and enctype. Using this key i can decrypt the AS_REP message. but i
can't decrypt the TGS_REP ticket using that key. please help me out and
inform me if you need any other details..


On Thu, Jun 12, 2014 at 11:59 AM, somenath saha <[hidden email]>
wrote:

> Danilo,
>
>
> Ok there is a details about my setup and my project..
>
> 1.       1.              I am running an Active Directory domain on a
> Windows Server 2012 machine with two Windows (windows server 2012) clients
> joined to the domain. Let’s call the domain DOMAIN and the machines DC,
> CLIENT-1, and CLIENT-2.
>
> 2.       2.             Now CLIENT-1 wants to communicate with CLIENT-2.
> So they authenticate each other using Kerberos. Here they can easily
> authenticate each other.
>
>
>
> In my project I want to implement Kerberos authentication so I take the
> AP_REQ packet from CLIENT-2 and now I try to decrypt the TICKET which is
> present in AP_REQ packet. I write separate code for Kerberos. I take AS_REP
> and TGS_REP packet from CLIENT-2 machine and I try to decrypt enc-part of
> them using my code and I got success. Now I want to decrypt the TICKET. I
> know all the credential details of CLIENT-2. But I can’t decrypt the TICKET
> from AP_REQ message.
>
> -somenath
>
> On Thu, Jun 12, 2014 at 7:25 AM, Danilo Almeida <[hidden email]> wrote:
>
>>  Somenath,
>>
>>
>>
>> Your description is still very unclear.
>>
>>
>>
>> My guess as to what you are describing:
>>
>> 1.       You are running an Active Directory domain on a Windows Server
>> 2012 machine with two Windows (version?) clients joined to the domain.
>> Let’s call the domain DOMAIN and the machines DC, CLIENT-1, and CLIENT-2.
>>
>> 2.       You have a domain user account called U1@DOMAIN.
>>
>> 3.       You log into CLIENT-1 as U1@DOMAIN.
>>
>> 4.       As U1@DOMAIN on CLIENT-1, you try to access files over SMB2 on
>> CLIENT-2.
>>
>>
>>
>> Is my understanding  correct? If so, is this failing somehow? If not,
>> please make your scenario clearer.
>>
>>
>>
>> - Danilo
>>
>>
>>
>> *From:* somenath saha [mailto:[hidden email]]
>> *Sent:* Tuesday, June 10, 2014 9:54 PM
>> *To:* Danilo Almeida
>> *Cc:* Zheng, Kai; Wang Weijun; [hidden email]
>>
>> *Subject:* Re: TGS-REP TICKET decrypting problem
>>
>>
>>
>> HI all,
>>
>>
>>
>> I have three machine. one is used as windows server 2012 where KDC is
>> running and also DHCP and DNS is running there. and other two pc is
>> connected with this server. Now two client pc want to communicate with each
>> other using cifsv2.  Before that they must be authenticate by kerberos.
>> everything goes fine. The problem is arise where 2nd client pc want to
>> decrypt the ticket which he recived from 1st client pc through AP-REQ
>> message. I think 2nd client pc must not communicate again with kdc to get
>> his secret key to decrypt the pc. It should be know to him but i'm unable
>> to prepare the key as i don't know which credential is used to prepare the
>> key. please go through the firs mail in this mail chain to find out the
>> user Account credential for 2nd pc. The ticket is encrypted with
>> aes256-cts-hmac-sha1-96 algorithm.
>>
>>
>>
>> regards
>>
>> somenath
>>
>>
>>
>> On Wed, Jun 11, 2014 at 3:50 AM, Danilo Almeida <[hidden email]> wrote:
>>
>> Somenath,
>>
>> What is your end-to-end scenario?
>>
>> - Danilo
>>
>>
>>
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
12