Unwanted canonicalization of the principal name? (slightly offtopic)

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Unwanted canonicalization of the principal name? (slightly offtopic)

Victor Sudakov
This question is neither exactly squid-related nor Heimdal-related, but
maybe someone guru could shed some light.

I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru".
On starting MSIE, some Windows hosts request a ticket for the
principal  HTTP/proxy.sibptus.transneft.ru" and receive it from the DC
and get authenticated successfully by squid. So far so good.

However, some other Windows hosts when requesting a ticket for
HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for
[hidden email] (kerbtray.exe shows this) and therefore
fail to get authenticated by squid.

"[hidden email]" is the AD account to which the SPN
"HTTP/proxy.sibptus.transneft.ru" is bound. But why do they receive a
ticket for a different name than requested, is beyond me.

Has anyone seen anything like this?

The KDC involved is the w2k AD.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Matthew Hannigan
I'm pretty sure all uppercase is required by the standard.
The lowercase matching is convenient but strictly speaking non-compliant.
Regards,
Matt


On Fri, Oct 17, 2014 at 3:20 AM, Victor Sudakov <[hidden email]> wrote:

> This question is neither exactly squid-related nor Heimdal-related, but
> maybe someone guru could shed some light.
>
> I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru".
> On starting MSIE, some Windows hosts request a ticket for the
> principal  HTTP/proxy.sibptus.transneft.ru" and receive it from the DC
> and get authenticated successfully by squid. So far so good.
>
> However, some other Windows hosts when requesting a ticket for
> HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for
> [hidden email] (kerbtray.exe shows this) and therefore
> fail to get authenticated by squid.
>
> "[hidden email]" is the AD account to which the SPN
> "HTTP/proxy.sibptus.transneft.ru" is bound. But why do they receive a
> ticket for a different name than requested, is beyond me.
>
> Has anyone seen anything like this?
>
> The KDC involved is the w2k AD.
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Matthew Hannigan
Re-reading your message -- you weren't asking about the case difference.
However it might be related.


On Fri, Oct 17, 2014 at 7:22 AM, Matthew Hannigan
<[hidden email]> wrote:

> I'm pretty sure all uppercase is required by the standard.
> The lowercase matching is convenient but strictly speaking non-compliant.
> Regards,
> Matt
>
>
> On Fri, Oct 17, 2014 at 3:20 AM, Victor Sudakov <[hidden email]> wrote:
>> This question is neither exactly squid-related nor Heimdal-related, but
>> maybe someone guru could shed some light.
>>
>> I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru".
>> On starting MSIE, some Windows hosts request a ticket for the
>> principal  HTTP/proxy.sibptus.transneft.ru" and receive it from the DC
>> and get authenticated successfully by squid. So far so good.
>>
>> However, some other Windows hosts when requesting a ticket for
>> HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for
>> [hidden email] (kerbtray.exe shows this) and therefore
>> fail to get authenticated by squid.
>>
>> "[hidden email]" is the AD account to which the SPN
>> "HTTP/proxy.sibptus.transneft.ru" is bound. But why do they receive a
>> ticket for a different name than requested, is beyond me.
>>
>> Has anyone seen anything like this?
>>
>> The KDC involved is the w2k AD.
>>
>> --
>> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
>> sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Victor Sudakov
In reply to this post by Matthew Hannigan
Excuse me, "all uppercase" where?

Of course the realm name in
HTTP/[hidden email] is uppercase, as
well as in "[hidden email]".

My question was a bit different. Why does a host receive a ticket for
[hidden email] thought it has requested a ticket for
"HTTP/[hidden email]" ?

"HTTP/[hidden email]" is a SPN bound
to the "squiduser" AD account.

Matthew Hannigan wrote:

> I'm pretty sure all uppercase is required by the standard.
> The lowercase matching is convenient but strictly speaking non-compliant.
> Regards,
> Matt
>
>
> On Fri, Oct 17, 2014 at 3:20 AM, Victor Sudakov <[hidden email]> wrote:
> > This question is neither exactly squid-related nor Heimdal-related, but
> > maybe someone guru could shed some light.
> >
> > I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru".
> > On starting MSIE, some Windows hosts request a ticket for the
> > principal  HTTP/proxy.sibptus.transneft.ru" and receive it from the DC
> > and get authenticated successfully by squid. So far so good.
> >
> > However, some other Windows hosts when requesting a ticket for
> > HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for
> > [hidden email] (kerbtray.exe shows this) and therefore
> > fail to get authenticated by squid.
> >
> > "[hidden email]" is the AD account to which the SPN
> > "HTTP/proxy.sibptus.transneft.ru" is bound. But why do they receive a
> > ticket for a different name than requested, is beyond me.
> >
> > Has anyone seen anything like this?
> >
> > The KDC involved is the w2k AD.
> >
> > --
> > Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> > sip:[hidden email]

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Victor Sudakov
Victor Sudakov wrote:
>
> My question was a bit different. Why does a host receive a ticket for
> [hidden email] thought it has requested a ticket for
> "HTTP/[hidden email]" ?
>
> "HTTP/[hidden email]" is a SPN bound
> to the "squiduser" AD account.

I thought I had better illustrate the problem with a packet dump.
I am attaching one.

Please look at Frame No. 36, where a ticket is requested for
"HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where
the ticket is granted, but for the wrong principal name.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Victor Sudakov
In reply to this post by Victor Sudakov
Sorry, forgot to attach the dump. This message should be correct.

Victor Sudakov wrote:
>
> My question was a bit different. Why does a host receive a ticket for
> [hidden email] thought it has requested a ticket for
> "HTTP/[hidden email]" ?
>
> "HTTP/[hidden email]" is a SPN bound
> to the "squiduser" AD account.

I thought I had better illustrate the problem with a packet dump.
I am attaching one.

Please look at Frame No. 36, where a ticket is requested for
"HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where
the ticket is granted, but for the wrong principal name.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]

tgt_bad.cap (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Matthew Hannigan
In reply to this post by Victor Sudakov
Victor,
Sorry,  I misread your original message.
All I can offer is to check for some correlation between client
Windows version and/or logged-in user and the wrong behaviour.

W2k is pretty ancient -- any chance of upgrading?

Regards,
Matt

On Fri, Oct 17, 2014 at 3:28 PM, Victor Sudakov <[hidden email]> wrote:

> Excuse me, "all uppercase" where?
>
> Of course the realm name in
> HTTP/[hidden email] is uppercase, as
> well as in "[hidden email]".
>
> My question was a bit different. Why does a host receive a ticket for
> [hidden email] thought it has requested a ticket for
> "HTTP/[hidden email]" ?
>
> "HTTP/[hidden email]" is a SPN bound
> to the "squiduser" AD account.
>
> Matthew Hannigan wrote:
>> I'm pretty sure all uppercase is required by the standard.
>> The lowercase matching is convenient but strictly speaking non-compliant.
>> Regards,
>> Matt
>>
>>
>> On Fri, Oct 17, 2014 at 3:20 AM, Victor Sudakov <[hidden email]> wrote:
>> > This question is neither exactly squid-related nor Heimdal-related, but
>> > maybe someone guru could shed some light.
>> >
>> > I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru".
>> > On starting MSIE, some Windows hosts request a ticket for the
>> > principal  HTTP/proxy.sibptus.transneft.ru" and receive it from the DC
>> > and get authenticated successfully by squid. So far so good.
>> >
>> > However, some other Windows hosts when requesting a ticket for
>> > HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for
>> > [hidden email] (kerbtray.exe shows this) and therefore
>> > fail to get authenticated by squid.
>> >
>> > "[hidden email]" is the AD account to which the SPN
>> > "HTTP/proxy.sibptus.transneft.ru" is bound. But why do they receive a
>> > ticket for a different name than requested, is beyond me.
>> >
>> > Has anyone seen anything like this?
>> >
>> > The KDC involved is the w2k AD.
>> >
>> > --
>> > Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
>> > sip:[hidden email]
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Markus Moeller
In reply to this post by Victor Sudakov
Hi Victor,

   If I look at the trace I see a KRB5 err on the first TGS REQ.   Do you
know if the clients access different AD servers ?

Markus


"Victor Sudakov"  wrote in message
news:[hidden email]...

Sorry, forgot to attach the dump. This message should be correct.

Victor Sudakov wrote:
>
> My question was a bit different. Why does a host receive a ticket for
> [hidden email] thought it has requested a ticket for
> "HTTP/[hidden email]" ?
>
> "HTTP/[hidden email]" is a SPN bound
> to the "squiduser" AD account.

I thought I had better illustrate the problem with a packet dump.
I am attaching one.

Please look at Frame No. 36, where a ticket is requested for
"HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where
the ticket is granted, but for the wrong principal name.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Victor Sudakov
Markus Moeller wrote:
>
>    If I look at the trace I see a KRB5 err on the first TGS REQ.   Do you
> know if the clients access different AD servers ?

No, it's 10.14.134.4 every time for this client.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Victor Sudakov
In reply to this post by Matthew Hannigan
Matthew Hannigan wrote:
> Sorry,  I misread your original message.
> All I can offer is to check for some correlation between client
> Windows version and/or logged-in user and the wrong behaviour.

We have tried to find correlation with no useful results. Some WinXP
clients work while some others don't. The set of policies seems to be
identical on both.

>
> W2k is pretty ancient -- any chance of upgrading?

Unfortunately not too soon.


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unwanted canonicalization of the principal name? (slightly offtopic)

Victor Sudakov
Victor Sudakov wrote:
> Matthew Hannigan wrote:
> > Sorry,  I misread your original message.
> > All I can offer is to check for some correlation between client
> > Windows version and/or logged-in user and the wrong behaviour.
>
> We have tried to find correlation with no useful results. Some WinXP
> clients work while some others don't. The set of policies seems to be
> identical on both.

There is one point however. Some clients don't set the "Canonicalize"
KDC option in their TGS request. Those clients work all right because
they receive the correct ticket.

The others do set this option, and they are the ones that fail
(receive the wrong ticket).

This can be observed by filtering Kerberos traffic in Wireshark with
"kerberos.kdcoptions.canonicalize == 0" or
"kerberos.kdcoptions.canonicalize == 1" respectively.

I have tried in vain to google what could influence Kerberos clients
of the same AD domain to set or unset this bit. Must be some black
sourcery.



--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]