directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Feezel <rfee...@gmail.com>
Subject [kerby] Windows 10 client preauth failure
Date Tue, 27 Jun 2017 04:15:58 GMT
Has anyone been able to get a Windows 10 client to authenticate
against a Kerby KDC?

Java clients are successfully authenticating to this KDC.

I'm trying to test Windows 10 as a client and Windows is complaining:
"An unsupported preauthentication mechanism was presented to the
Kerberos package."

Looking at a packet trace the AS_REQ contains no PA data so Kerby
returns an error saying ERR_PREAUTH_REQUIRED. Here are the request and
reply packets:

Frame 4: 229 bytes on wire (1832 bits), 229 bytes captured (1832 bits)
on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.191.14, Dst: 192.168.191.8
Transmission Control Protocol, Src Port: 1595, Dst Port: 88, Seq: 1,
Ack: 1, Len: 173
Kerberos
    Record Mark: 169 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not set
        .000 0000 0000 0000 0000 0000 1010 1001 = Record Length: 169
    as-req
        pvno: 5
        msg-type: krb-as-req (10)
        req-body
            Padding: 0
            kdc-options: 40800010 (forwardable, renewable, renewable-ok)
                0... .... = reserved: False
                .1.. .... = forwardable: True
                ..0. .... = forwarded: False
                ...0 .... = proxiable: False
                .... 0... = proxy: False
                .... .0.. = allow-postdate: False
                .... ..0. = postdated: False
                .... ...0 = unused7: False
                1... .... = renewable: True
                .0.. .... = unused9: False
                ..0. .... = unused10: False
                ...0 .... = opt-hardware-auth: False
                .... ..0. = request-anonymous: False
                .... ...0 = canonicalize: False
                0... .... = constrained-delegation: False
                ..0. .... = disable-transited-check: False
                ...1 .... = renewable-ok: True
                .... 0... = enc-tkt-in-skey: False
                .... ..0. = renew: False
                .... ...0 = validate: False
            cname
                name-type: kRB5-NT-PRINCIPAL (1)
                cname-string: 1 item
                    CNameString: rfeezel
            realm: PRODENTITY2.COM
            sname
                name-type: kRB5-NT-SRV-INST (2)
                sname-string: 2 items
                    SNameString: krbtgt
                    SNameString: PRODENTITY2.COM
            till: 2037-09-13 02:48:05 (UTC)
            rtime: 2037-09-13 02:48:05 (UTC)
            nonce: 555337712
            etype: 3 items
                ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
                ENCTYPE: eTYPE-DES-CBC-MD5 (3)


Frame 6: 221 bytes on wire (1768 bits), 221 bytes captured (1768 bits)
on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.191.8, Dst: 192.168.191.14
Transmission Control Protocol, Src Port: 88, Dst Port: 1595, Seq: 1,
Ack: 174, Len: 165
Kerberos
    Record Mark: 161 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not set
        .000 0000 0000 0000 0000 0000 1010 0001 = Record Length: 161
    krb-error
        pvno: 5
        msg-type: krb-error (30)
        stime: 2017-06-27 03:51:16 (UTC)
        susec: 100
        error-code: eRR-PREAUTH-REQUIRED (25)
        realm: PRODENTITY2.COM
        sname
            name-type: kRB5-NT-PRINCIPAL (1)
            sname-string: 1 item
                SNameString: rfeezel
        e-text: Additional pre-authentication required
        e-data: 301b3019a103020113a2120410300e3005a0030201123005...
            PA-DATA PA-ENCTYPE-INFO2
                padata-type: kRB5-PADATA-ETYPE-INFO2 (19)
                    padata-value: 300e3005a0030201123005a003020111
                        ETYPE-INFO2-ENTRY
                            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                        ETYPE-INFO2-ENTRY
                            etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

-- 
Richard M Feezel
rfeezel@gmail.com

Mime
View raw message