directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eirik Bjorsnos (JIRA)" <>
Subject [jira] [Commented] (DIRKRB-100) Active Directory support for KdcConnection
Date Fri, 28 Feb 2014 09:47:19 GMT


Eirik Bjorsnos commented on DIRKRB-100:

KdcConfig.getEncyptionTypes returns null, so I'm instead stealing the contents from KdcConfig.DEFAULT_ENCRYPTION_TYPES
(which is a private static variable, not accessible from anywhere).

So my code now looks something like this: 
KdcConfig config = KdcConfig.getDefaultConfig();

Set<EncryptionType> encTypes = new HashSet<EncryptionType>();


encTypes = KerberosUtils.orderEtypesByStrength(encTypes);


The result from this is that I get an AS_REP back with encryption type RC4_HMAC_EXP (weaker

RC4_HMAC_EXP is not supported by the client code "KerberosException: KDC has no support for
encryption type".

So removing RC4_HMAC_EXP, I get a somewhat strange behaviour.

Wireshark now shows an AP_REP with end-type des-cbc-md5. Additionally, wireshark says "NT
Status: Unknown error code 0x544e414b". I think this is just a bug in Wireshark:

Anyhow, the client side code fails:
Exception in thread "main"
Integrity check on decrypted field failed

Not sure why it chose Aes256CtsSha1Encryption?

> Active Directory support for KdcConnection
> ------------------------------------------
>                 Key: DIRKRB-100
>                 URL:
>             Project: Directory Kerberos
>          Issue Type: Improvement
>            Reporter: Eirik Bjorsnos
>            Assignee: Emmanuel Lecharny
> I'm testing KdcConnection.getTgt() with Microsoft Active Directory.
> My first test failed with AD responding with first saying KRB5KRB_ERR_PREAUTH_REQUIRED
(expected), then KRB5KRB_ERR_PREAUTH_FAILED (not expected).
> Since PREAUTH_FAILED is what you'll also get if your password is wrong, I enabled "Do
not use pre authentication" for the account being tested and verified via kinit on OS X that
no pre authentication was sent there.
> When testing getTgt with no preauth, I now get the following exception:
> Exception in thread "main"
Request failed due to being malformed.
> 	at
> 	at
> 	at
> 	at

This message was sent by Atlassian JIRA

View raw message