Windows 2008 R2 problems

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows 2008 R2 problems

Markus Moeller
Hi

  I try to use a Windows 2008 R2 server together with MIT libraries 1.8.1
for Negotiate authentication. It works fine with 2008 but 2008 R2 seems to
have implemented http://www.ietf.org/id/draft-zhu-negoex-02.txt  which uses
a new mechtype 1.3.6.1.4.1.311.2.2.30.  Is this supported/tested with MIT
1.8.1 ?

Thank you
Markus


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2008 R2 problems

Simo Sorce
On Fri, 29 Oct 2010 22:26:36 +0100
"Markus Moeller" <[hidden email]> wrote:

> Hi
>
>   I try to use a Windows 2008 R2 server together with MIT libraries
> 1.8.1 for Negotiate authentication. It works fine with 2008 but 2008
> R2 seems to have implemented
> http://www.ietf.org/id/draft-zhu-negoex-02.txt  which uses a new
> mechtype 1.3.6.1.4.1.311.2.2.30.  Is this supported/tested with MIT
> 1.8.1 ?

NEGOEX is not implemented by any MIT version at this stage.

Simo.

--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2008 R2 problems

Markus Moeller

"Simo Sorce" <[hidden email]> wrote in message
news:[hidden email]...

> On Fri, 29 Oct 2010 22:26:36 +0100
> "Markus Moeller" <[hidden email]> wrote:
>
>> Hi
>>
>>   I try to use a Windows 2008 R2 server together with MIT libraries
>> 1.8.1 for Negotiate authentication. It works fine with 2008 but 2008
>> R2 seems to have implemented
>> http://www.ietf.org/id/draft-zhu-negoex-02.txt  which uses a new
>> mechtype 1.3.6.1.4.1.311.2.2.30.  Is this supported/tested with MIT
>> 1.8.1 ?
>
> NEGOEX is not implemented by any MIT version at this stage.
>

So will it be ignored or does it create an error ?

> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Thank you
Markus


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2008 R2 problems

Markus Moeller
Stepping through the debugger.  I get an error here:

 in krb5int_dk_decrypt  from dk_aead.c using MIT 1.8.3

 260
 261     /* Compare only the possibly truncated length. */
 262     if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
 263         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 264         goto cleanup;
 265     }

which I think does not relate to the new mech type. Any idea what to look
for ?

Thank you
Markus


"Markus Moeller" <[hidden email]> wrote in message
news:iafjbr$soe$[hidden email]...

>
> "Simo Sorce" <[hidden email]> wrote in message
> news:[hidden email]...
>> On Fri, 29 Oct 2010 22:26:36 +0100
>> "Markus Moeller" <[hidden email]> wrote:
>>
>>> Hi
>>>
>>>   I try to use a Windows 2008 R2 server together with MIT libraries
>>> 1.8.1 for Negotiate authentication. It works fine with 2008 but 2008
>>> R2 seems to have implemented
>>> http://www.ietf.org/id/draft-zhu-negoex-02.txt  which uses a new
>>> mechtype 1.3.6.1.4.1.311.2.2.30.  Is this supported/tested with MIT
>>> 1.8.1 ?
>>
>> NEGOEX is not implemented by any MIT version at this stage.
>>
>
> So will it be ignored or does it create an error ?
>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
> Thank you
> Markus
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2008 R2 problems

Markus Moeller
If I use RC4-hmac it works but AES 128/256 fail on Windows 2008 R2 although
AES 128/256 works on 2008. Can anybody confirm ? Has 2008 R2 changed
something compared to 2008 ?

Thank you
Markus

"Markus Moeller" <[hidden email]> wrote in message
news:iah61u$rak$[hidden email]...

> Stepping through the debugger.  I get an error here:
>
> in krb5int_dk_decrypt  from dk_aead.c using MIT 1.8.3
>
> 260
> 261     /* Compare only the possibly truncated length. */
> 262     if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
> 263         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
> 264         goto cleanup;
> 265     }
>
> which I think does not relate to the new mech type. Any idea what to look
> for ?
>
> Thank you
> Markus
>
>
> "Markus Moeller" <[hidden email]> wrote in message
> news:iafjbr$soe$[hidden email]...
>>
>> "Simo Sorce" <[hidden email]> wrote in message
>> news:[hidden email]...
>>> On Fri, 29 Oct 2010 22:26:36 +0100
>>> "Markus Moeller" <[hidden email]> wrote:
>>>
>>>> Hi
>>>>
>>>>   I try to use a Windows 2008 R2 server together with MIT libraries
>>>> 1.8.1 for Negotiate authentication. It works fine with 2008 but 2008
>>>> R2 seems to have implemented
>>>> http://www.ietf.org/id/draft-zhu-negoex-02.txt  which uses a new
>>>> mechtype 1.3.6.1.4.1.311.2.2.30.  Is this supported/tested with MIT
>>>> 1.8.1 ?
>>>
>>> NEGOEX is not implemented by any MIT version at this stage.
>>>
>>
>> So will it be ignored or does it create an error ?
>>
>>> Simo.
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>> ________________________________________________
>>> Kerberos mailing list           [hidden email]
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>> Thank you
>> Markus
>>
>>
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2008 R2 problems

Markus Moeller
It looks like I had not cleared my windows cache. It works all fine with
2008 R2.

Markus


"Markus Moeller" <[hidden email]> wrote in message
news:iahs8a$ige$[hidden email]...

> If I use RC4-hmac it works but AES 128/256 fail on Windows 2008 R2
> although
> AES 128/256 works on 2008. Can anybody confirm ? Has 2008 R2 changed
> something compared to 2008 ?
>
> Thank you
> Markus
>
> "Markus Moeller" <[hidden email]> wrote in message
> news:iah61u$rak$[hidden email]...
>> Stepping through the debugger.  I get an error here:
>>
>> in krb5int_dk_decrypt  from dk_aead.c using MIT 1.8.3
>>
>> 260
>> 261     /* Compare only the possibly truncated length. */
>> 262     if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
>> 263         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
>> 264         goto cleanup;
>> 265     }
>>
>> which I think does not relate to the new mech type. Any idea what to look
>> for ?
>>
>> Thank you
>> Markus
>>
>>
>> "Markus Moeller" <[hidden email]> wrote in message
>> news:iafjbr$soe$[hidden email]...
>>>
>>> "Simo Sorce" <[hidden email]> wrote in message
>>> news:[hidden email]...
>>>> On Fri, 29 Oct 2010 22:26:36 +0100
>>>> "Markus Moeller" <[hidden email]> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>>   I try to use a Windows 2008 R2 server together with MIT libraries
>>>>> 1.8.1 for Negotiate authentication. It works fine with 2008 but 2008
>>>>> R2 seems to have implemented
>>>>> http://www.ietf.org/id/draft-zhu-negoex-02.txt  which uses a new
>>>>> mechtype 1.3.6.1.4.1.311.2.2.30.  Is this supported/tested with MIT
>>>>> 1.8.1 ?
>>>>
>>>> NEGOEX is not implemented by any MIT version at this stage.
>>>>
>>>
>>> So will it be ignored or does it create an error ?
>>>
>>>> Simo.
>>>>
>>>> --
>>>> Simo Sorce * Red Hat, Inc * New York
>>>> ________________________________________________
>>>> Kerberos mailing list           [hidden email]
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>> Thank you
>>> Markus
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           [hidden email]
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos