Win2k3 SP1 ktpass problem.

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Win2k3 SP1 ktpass problem.

Srinivas Cheruku
Hi,

I am using Win2k3 as my KDC.

I was using the keytab extracted from Win2k3 ktpass
and it was working fine with my GSS applications. I
have upgraded to Win2k3 SP1 and now when i use ktpass
of Win2k3 SP1 to extract the keytab and use it with my
GSS application, i am getting error on the GSS server
while accepting the context as "Decrypt integrity
check failed".

Can anyone encountered this problem with the keytab
created with win2k3 sp1 ktpass?
Can anyone help me to fix this issue?

Thanks and Regards,
Srini


       
               
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Jeffrey Altman-3
Are you specifying the correct kvno and are you extracting
the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
keys and that might be the new default.

Jeffrey Altman


Srinivas Cheruku wrote:

> Hi,
>
> I am using Win2k3 as my KDC.
>
> I was using the keytab extracted from Win2k3 ktpass
> and it was working fine with my GSS applications. I
> have upgraded to Win2k3 SP1 and now when i use ktpass
> of Win2k3 SP1 to extract the keytab and use it with my
> GSS application, i am getting error on the GSS server
> while accepting the context as "Decrypt integrity
> check failed".
>
> Can anyone encountered this problem with the keytab
> created with win2k3 sp1 ktpass?
> Can anyone help me to fix this issue?
>
> Thanks and Regards,
> Srini
>
>
>
>
> ______________________________________________________
> Click here to donate to the Hurricane Katrina relief effort.
> http://store.yahoo.com/redcross-donate3/
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Markus Moeller
In reply to this post by Srinivas Cheruku
Did you map your principal to a user or computer account ? If I remember
right some salt calculation changed for DES keys if assigned to a computer
account. So an old keytab may not work.

Markus

"Srinivas Cheruku" <[hidden email]> wrote in message
news:[hidden email]...

> Hi,
>
> I am using Win2k3 as my KDC.
>
> I was using the keytab extracted from Win2k3 ktpass
> and it was working fine with my GSS applications. I
> have upgraded to Win2k3 SP1 and now when i use ktpass
> of Win2k3 SP1 to extract the keytab and use it with my
> GSS application, i am getting error on the GSS server
> while accepting the context as "Decrypt integrity
> check failed".
>
> Can anyone encountered this problem with the keytab
> created with win2k3 sp1 ktpass?
> Can anyone help me to fix this issue?
>
> Thanks and Regards,
> Srini
>
>
>
>
> ______________________________________________________
> Click here to donate to the Hurricane Katrina relief effort.
> http://store.yahoo.com/redcross-donate3/
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Srinivas Cheruku-3
In reply to this post by Srinivas Cheruku
Hi,

I have used the below command to extract the keytab. You can see that i
have specified the enctype correctly. Please let me know whether i need
to specify any other option to ktpass.

ktpass -mapuser [hidden email] -princ test/[hidden email] +DesOnly
-pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
"c:\krb5.keytab"

I am using the user account and not the computer account.

Thanks,
Srini

Jeffrey Altman wrote:

> Are you specifying the correct kvno and are you extracting
> the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
> keys and that might be the new default.
>
> Jeffrey Altman
>
>
> Srinivas Cheruku wrote:
> > Hi,
> >
> > I am using Win2k3 as my KDC.
> >
> > I was using the keytab extracted from Win2k3 ktpass
> > and it was working fine with my GSS applications. I
> > have upgraded to Win2k3 SP1 and now when i use ktpass
> > of Win2k3 SP1 to extract the keytab and use it with my
> > GSS application, i am getting error on the GSS server
> > while accepting the context as "Decrypt integrity
> > check failed".
> >
> > Can anyone encountered this problem with the keytab
> > created with win2k3 sp1 ktpass?
> > Can anyone help me to fix this issue?
> >
> > Thanks and Regards,
> > Srini
> >
> >
> >
> >
> > ______________________________________________________
> > Click here to donate to the Hurricane Katrina relief effort.
> > http://store.yahoo.com/redcross-donate3/
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Jeffrey Altman-3
Is the correct kvno value being written to the keytab entry?

Use the KFW kvno.exe <service-principal> command to find out what
kvno the service principal is using.   Then include that value in
the ktpass.exe command line with the -kvno <kvno> command line
option.

Jeffrey Altman


Srini wrote:

> Hi,
>
> I have used the below command to extract the keytab. You can see that i
> have specified the enctype correctly. Please let me know whether i need
> to specify any other option to ktpass.
>
> ktpass -mapuser [hidden email] -princ test/[hidden email] +DesOnly
> -pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
> "c:\krb5.keytab"
>
> I am using the user account and not the computer account.
>
> Thanks,
> Srini
>
> Jeffrey Altman wrote:
>
>>Are you specifying the correct kvno and are you extracting
>>the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
>>keys and that might be the new default.
>>
>>Jeffrey Altman
>>
>>
>>Srinivas Cheruku wrote:
>>
>>>Hi,
>>>
>>>I am using Win2k3 as my KDC.
>>>
>>>I was using the keytab extracted from Win2k3 ktpass
>>>and it was working fine with my GSS applications. I
>>>have upgraded to Win2k3 SP1 and now when i use ktpass
>>>of Win2k3 SP1 to extract the keytab and use it with my
>>>GSS application, i am getting error on the GSS server
>>>while accepting the context as "Decrypt integrity
>>>check failed".
>>>
>>>Can anyone encountered this problem with the keytab
>>>created with win2k3 sp1 ktpass?
>>>Can anyone help me to fix this issue?
>>>
>>>Thanks and Regards,
>>>Srini
>>>
>>>
>>>
>>>
>>>______________________________________________________
>>>Click here to donate to the Hurricane Katrina relief effort.
>>>http://store.yahoo.com/redcross-donate3/
>>>________________________________________________
>>>Kerberos mailing list           [hidden email]
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>--
>>-----------------
>>This e-mail account is not read on a regular basis.
>>Please send private responses to jaltman at mit dot edu
>
>

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Srinivas Cheruku-3
In reply to this post by Srinivas Cheruku
Hi,
I have mapped the principal to user account.
Did the salt calculation for DES keys for user account changed from
Win2k3 to Win2k3 SP1?
Can you please let me know or guide me to a link where i can find the
exact salt changes done for DES keys in case of a computer account?

Can anyone tell me the changes done to Win2k3 SP1 ktpass when compared
to Win2k3 ktpass while extracting the keytab, since the keytab
extracted from Win2k3 ktpass is working but the one with Win2k3 SP1
ktpass doesn't?

Thanks,
Srini

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Markus Moeller
Srini,

capture the traffic on port 88 with ethereal and look at the kdc error
reply. If it is a salt issue it will tell you. The other ktpass option you
might want to try is /ptype KRB5_NT_SRV_HST

Regards
Markus


"Srini" <[hidden email]> wrote in message
news:[hidden email]...

> Hi,
> I have mapped the principal to user account.
> Did the salt calculation for DES keys for user account changed from
> Win2k3 to Win2k3 SP1?
> Can you please let me know or guide me to a link where i can find the
> exact salt changes done for DES keys in case of a computer account?
>
> Can anyone tell me the changes done to Win2k3 SP1 ktpass when compared
> to Win2k3 ktpass while extracting the keytab, since the keytab
> extracted from Win2k3 ktpass is working but the one with Win2k3 SP1
> ktpass doesn't?
>
> Thanks,
> Srini
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Pitrich, Karl
In reply to this post by Srinivas Cheruku-3
Hi,

here's my (random) notes and how i do windows/MIT key exchange
successfully:


with recent versions of MIT Kerberos it is not neccessary to specify any
special enc-type as it supports MD4 (which is windows default now)
i'm also not specifying the ptype flag to ktpass.

the principal you specify at the ktpass commandline will be added and/or
overwritten in AD.

as username to ktpass, use the login name only from AD.

match the case of username and realm exactly.

with adsi-edit you can then verify the servicePrincipalName or
userPrincipalName that will be added after invoking ktpass.

using ktpass, the AD User will be automagically flagged as DES Only.


import the keys on linux and verify using:
  kinit –k –t /path/to/winkrb5.keytab <name>/<fqdn>@<REALM>
this should issue a ticket without entering a password.


i have encountered some troubles with the ticket serial number, to avoid
them, always change the password of the AD User prior exporting with
ktpass, this ensures a current ticket.

furthermore, ensure that the ktpass utility comes from a resource kit
from the same version as the windows OS itself AND also the same
locale.



HTH,

 / karl


On Fri, 2005-09-09 at 06:59, Srini wrote:

> Hi,
>
> I have used the below command to extract the keytab. You can see that i
> have specified the enctype correctly. Please let me know whether i need
> to specify any other option to ktpass.
>
> ktpass -mapuser [hidden email] -princ test/[hidden email] +DesOnly
> -pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
> "c:\krb5.keytab"
>
> I am using the user account and not the computer account.
>
> Thanks,
> Srini
>
> Jeffrey Altman wrote:
> > Are you specifying the correct kvno and are you extracting
> > the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
> > keys and that might be the new default.
> >
> > Jeffrey Altman
> >
> >
> > Srinivas Cheruku wrote:
> > > Hi,
> > >
> > > I am using Win2k3 as my KDC.
> > >
> > > I was using the keytab extracted from Win2k3 ktpass
> > > and it was working fine with my GSS applications. I
> > > have upgraded to Win2k3 SP1 and now when i use ktpass
> > > of Win2k3 SP1 to extract the keytab and use it with my
> > > GSS application, i am getting error on the GSS server
> > > while accepting the context as "Decrypt integrity
> > > check failed".
> > >
> > > Can anyone encountered this problem with the keytab
> > > created with win2k3 sp1 ktpass?
> > > Can anyone help me to fix this issue?
> > >
> > > Thanks and Regards,
> > > Srini
> > >
> > >
> > >
> > >
> > > ______________________________________________________
> > > Click here to donate to the Hurricane Katrina relief effort.
> > > http://store.yahoo.com/redcross-donate3/
> > > ________________________________________________
> > > Kerberos mailing list           [hidden email]
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> > --
> > -----------------
> > This e-mail account is not read on a regular basis.
> > Please send private responses to jaltman at mit dot edu
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Srinivas Cheruku-3
Hi Karl,

Thanks for the information you shared with me.

I have created two user accounts.
Then i have run the ktpass command as show below with appropriate params
for the two new user accounts created
ktpass -mapuser [hidden email] -princ sp1acc/[hidden email] +DesOnly
 -pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
 "c:\krb5.keytab"

Now, i have two keys in the /etc/krb5.keytab
  1. sp1acc/[hidden email] - Keytab extracted with Win2k3 SP1 ktpass
  2. nosp1acc/[hidden email] - Keytab extracted with Win2k3 ktpass
 
Please find below the results from kinit

 bash-2.03$ ./kinit -k -t /etc/krb5.keytab sp1acc/[hidden email]
 kinit(v5): Preauthentication failed while getting initial credentials
 bash-2.03$
 
 
 bash-2.03$ ./kinit -k -t /etc/krb5.keytab nosp1acc/[hidden email]
 bash-2.03$ ./klist
 Ticket cache: FILE:/tmp/krb5cc_4001
 Default principal: nosp1acc/[hidden email]

 Valid starting     Expires            Service principal
 09/21/05 10:16:55  09/22/05 06:19:16  krbtgt/[hidden email]
         renew until 09/22/05 10:16:55


 Kerberos 4 ticket cache: /tmp/tkt4001
 klist: You have no tickets cached
 bash-2.03$
 
 
As shown above, I am getting error Preauthentication failed when i try
to kinit for sp1acc/[hidden email], which was extracted using
Win2K3 SP1 ktpass.
 
Then, i have created an user account and changed password, before
running Win2k3 SP1 ktpass on that account. Now when i do a kinit on this
service principal, i am issued a TGT without Preauthentication failed
error.

Can anyone confirm that while using Win2k3 SP1 ktpass, the user account
password should be changed before running ktpass?
Also, i would appreciate if someone can confirm that this is the bug
with Win2k3 SP1 ktpass which needs changing password before running ktpass.

Thanks,
Srini

Pitrich, Karl wrote:

>Hi,
>
>here's my (random) notes and how i do windows/MIT key exchange
>successfully:
>
>
>with recent versions of MIT Kerberos it is not neccessary to specify any
>special enc-type as it supports MD4 (which is windows default now)
>i'm also not specifying the ptype flag to ktpass.
>
>the principal you specify at the ktpass commandline will be added and/or
>overwritten in AD.
>
>as username to ktpass, use the login name only from AD.
>
>match the case of username and realm exactly.
>
>with adsi-edit you can then verify the servicePrincipalName or
>userPrincipalName that will be added after invoking ktpass.
>
>using ktpass, the AD User will be automagically flagged as DES Only.
>
>
>import the keys on linux and verify using:
>  kinit –k –t /path/to/winkrb5.keytab <name>/<fqdn>@<REALM>
>this should issue a ticket without entering a password.
>
>
>i have encountered some troubles with the ticket serial number, to avoid
>them, always change the password of the AD User prior exporting with
>ktpass, this ensures a current ticket.
>
>furthermore, ensure that the ktpass utility comes from a resource kit
>from the same version as the windows OS itself AND also the same
>locale.
>
>
>
>HTH,
>
> / karl
>
>
>On Fri, 2005-09-09 at 06:59, Srini wrote:
>  
>
>>Hi,
>>
>>I have used the below command to extract the keytab. You can see that i
>>have specified the enctype correctly. Please let me know whether i need
>>to specify any other option to ktpass.
>>
>>ktpass -mapuser [hidden email] -princ test/[hidden email] +DesOnly
>>-pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
>>"c:\krb5.keytab"
>>
>>I am using the user account and not the computer account.
>>
>>Thanks,
>>Srini
>>
>>Jeffrey Altman wrote:
>>    
>>
>>>Are you specifying the correct kvno and are you extracting
>>>the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
>>>keys and that might be the new default.
>>>
>>>Jeffrey Altman
>>>
>>>
>>>Srinivas Cheruku wrote:
>>>      
>>>
>>>>Hi,
>>>>
>>>>I am using Win2k3 as my KDC.
>>>>
>>>>I was using the keytab extracted from Win2k3 ktpass
>>>>and it was working fine with my GSS applications. I
>>>>have upgraded to Win2k3 SP1 and now when i use ktpass
>>>>of Win2k3 SP1 to extract the keytab and use it with my
>>>>GSS application, i am getting error on the GSS server
>>>>while accepting the context as "Decrypt integrity
>>>>check failed".
>>>>
>>>>Can anyone encountered this problem with the keytab
>>>>created with win2k3 sp1 ktpass?
>>>>Can anyone help me to fix this issue?
>>>>
>>>>Thanks and Regards,
>>>>Srini
>>>>
>>>>
>>>>
>>>>
>>>>______________________________________________________
>>>>Click here to donate to the Hurricane Katrina relief effort.
>>>>http://store.yahoo.com/redcross-donate3/
>>>>________________________________________________
>>>>Kerberos mailing list           [hidden email]
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>        
>>>>
>>>--
>>>-----------------
>>>This e-mail account is not read on a regular basis.
>>>Please send private responses to jaltman at mit dot edu
>>>      
>>>
>>________________________________________________
>>Kerberos mailing list           [hidden email]
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>    
>>
>>------------------------------------------------------------------------
>>
>>________________________________________________
>>Kerberos mailing list           [hidden email]
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>    
>>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Win2k3 SP1 ktpass problem.

Srinivas Cheruku-3
In reply to this post by Srinivas Cheruku
Hi Jeffrey Altman,

As you have told i have checked the kvno.

kvno in keytab = 2
kvno in service ticket = 2
There is no difference with the kvno in keytab as well as in the service
ticket.

Before extracting the keytab using Win2k3 SP1 ktpass, i reset the
password of that user account then extract keytab using ktpass. This
keytab is working fine without any errors.

Can you please let me know whether we need to always reset the password
before running Win2k3 SP1 ktpass?
Is this a bug in MS Win2k3 SP1 ktpass?
Did you observe the same behaviour with the keytab extracted with Win2k3
SP1 ktpass?

Thanks,
Srini

Jeffrey Altman wrote:
 > Is the correct kvno value being written to the keytab entry?
 >
 > Use the KFW kvno.exe <service-principal> command to find out what
 > kvno the service principal is using.   Then include that value in
 > the ktpass.exe command line with the -kvno <kvno> command line
 > option.
 >
 > Jeffrey Altman
 >
 >
 > Srini wrote:
 > > Hi,
 > >
 > > I have used the below command to extract the keytab. You can see that i
 > > have specified the enctype correctly. Please let me know whether i need
 > > to specify any other option to ktpass.
 > >
 > > ktpass -mapuser [hidden email] -princ test/[hidden email] +DesOnly
 > > -pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
 > > "c:\krb5.keytab"
 > >
 > > I am using the user account and not the computer account.
 > >
 > > Thanks,
 > > Srini
 > >
 > > Jeffrey Altman wrote:
 > >
 > >>Are you specifying the correct kvno and are you extracting
 > >>the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
 > >>keys and that might be the new default.
 > >>
 > >>Jeffrey Altman
 > >>
 > >>
 > >>Srinivas Cheruku wrote:
 > >>
 > >>>Hi,
 > >>>
 > >>>I am using Win2k3 as my KDC.
 > >>>
 > >>>I was using the keytab extracted from Win2k3 ktpass
 > >>>and it was working fine with my GSS applications. I
 > >>>have upgraded to Win2k3 SP1 and now when i use ktpass
 > >>>of Win2k3 SP1 to extract the keytab and use it with my
 > >>>GSS application, i am getting error on the GSS server
 > >>>while accepting the context as "Decrypt integrity
 > >>>check failed".
 > >>>
 > >>>Can anyone encountered this problem with the keytab
 > >>>created with win2k3 sp1 ktpass?
 > >>>Can anyone help me to fix this issue?
 > >>>
 > >>>Thanks and Regards,
 > >>>Srini
 > >>>
 > >>>
 > >>>
 > >>>
 > >>>______________________________________________________
 > >>>Click here to donate to the Hurricane Katrina relief effort.
 > >>>http://store.yahoo.com/redcross-donate3/
 > >>>________________________________________________
 > >>>Kerberos mailing list           [hidden email]
 > >>>https://mailman.mit.edu/mailman/listinfo/kerberos
 > >>>
 > >>
 > >>--
 > >>-----------------
 > >>This e-mail account is not read on a regular basis.
 > >>Please send private responses to jaltman at mit dot edu
 > >
 > >
 >
 > --
 > -----------------
 > This e-mail account is not read on a regular basis.
 > Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos