Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

How many weeks are there in a light year?


devel / comp.protocols.kerberos / Question about Windows S4U support

SubjectAuthor
o Question about Windows S4U supportJianJun Li

1
Question about Windows S4U support

<mailman.44.1699466018.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=422&group=comp.protocols.kerberos#422

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jjl...@rocketsoftware.com (JianJun Li)
Newsgroups: comp.protocols.kerberos
Subject: Question about Windows S4U support
Date: Wed, 8 Nov 2023 14:23:03 +0000
Organization: TNet Consulting
Lines: 67
Message-ID: <mailman.44.1699466018.2263420.kerberos@mit.edu>
References: <DM6PR07MB4651D6917435E9AF74528364BBA8A@DM6PR07MB4651.namprd07.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="17422"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: "kerberos@mit.edu" <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=VZsuhDqQ;
dkim=pass (1024-bit key,
unprotected) header.d=rocketsoftware.com header.i=@rocketsoftware.com
header.a=rsa-sha256 header.s=mimecast20200430 header.b=BF0LsteU
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=nbHWys7Cj3psII2mkl9c4aKFHTVQSFsrQJeE6vUIpS2vDnipgZbBgOHg7pM2Tmj0qwz1H/0bGSWZR3ZQo5X02EKY2ONh++LQM0Dd37TqmCfqW8PEbOtdmhKrYRpclwlcWmKLQvl7+N7jvYcGvpm4RxzoKMYRmEsn9xhMcbVzjua2jQOvDFuCX04fGNlW34rTmVXOVEy+2XYI2jn0heMxbrGS3i78PeIwwP6j64wGK2SM6RYQ5dui6k4MyjG8LxDs67mbWKhr3ZAgK2iT0l3bXGOQTZGABmvyphlal98HWUnOpANHLRyRiSozVfwHGvRYJAEzZgMTcaYBpDH+ITQB3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=D+Dvh0K6YLR0EZh1IzJTIpy+t4KQ0VruwHRXfTj5HRQ=;
b=e+QADJqP2W7RboXo0vp973C1geScjk2dLcI/1iDpyu4Vcywu4G+7t2QzFToOhSV7iAM0usoodgzlB2QwLmdeF3sMXoE+00ehOky2nzvJ+e9apoKaft0CYAT1gWTQgYcZYHpvWjUwm8Dh2uXEoX7H/hFAGiEmqn0nDYsZghLxsl3PUZ/MMVswijTDMMam5je/aqRNUGfZNQ9IrxajTRG+lJIILIIXBbtkw68cMsgFCUtdLH1aYebbh4NQt3MUeoExvykdSIVT248mP4NSc6Garc0/x0VCcXsEsmTqwVqBdpl8RJn4GwAYqOiA5b2oK1HDiUiYEuFVQKN227UtlprirQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.129.127) smtp.rcpttodomain=mit.edu smtp.mailfrom=rocketsoftware.com;
dmarc=pass (p=none sp=none pct=100) action=none
header.from=rocketsoftware.com; dkim=pass (signature was verified)
header.d=rocketsoftware.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=D+Dvh0K6YLR0EZh1IzJTIpy+t4KQ0VruwHRXfTj5HRQ=;
b=VZsuhDqQonXTd7j74x1IjQn8xrkiqqhJgyllDoP6krrBSkA2JYpmPScipTkW3o/Zvutn+fRvmmgKjzSknJNzIyxf1uWHq/1aUDHOcQAkNUt7NocQ+LuR+4b0U9p/AKIelLznl1VJCrdSwx/hmAJeSp5hfsU33Hr9Omk82T87JAY=
Authentication-Results: spf=pass (sender IP is 170.10.129.127)
smtp.mailfrom=rocketsoftware.com; dkim=pass (signature was verified)
header.d=rocketsoftware.com;dmarc=pass action=none
header.from=rocketsoftware.com;
Received-SPF: Pass (protection.outlook.com: domain of rocketsoftware.com
designates 170.10.129.127 as permitted sender)
receiver=protection.outlook.com; client-ip=170.10.129.127;
helo=us-smtp-delivery-127.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rocketsoftware.com;
s=mimecast20200430; t=1699453388;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type;
bh=D+Dvh0K6YLR0EZh1IzJTIpy+t4KQ0VruwHRXfTj5HRQ=;
b=BF0LsteUJLN3YR5kEEUfKSXv41MMm+9aj+CEYEplQPuOJcNKMQCOPEveeVA4NL0Jq/qQt1
H0jeJs/NKDsMH9mafOYFMradbYwnQ1JMCsrqShbOYhIhTiaPn91/cPEOUFSIMBJVuEaxkr
mLNbJVGGQcI79yV49qQqrQb4U3FXAcM=
X-MC-Unique: jUogxzkjOquKT5QxSiR_9g-1
Thread-Topic: Question about Windows S4U support
Thread-Index: AdoSLbm8LH8Wv1KmSUy58Exoj8p1Yg==
Accept-Language: zh-CN, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-traffictypediagnostic: DM6PR07MB4651:EE_|SA1PR07MB9991:EE_|CO1PEPF000044F1:EE_|SA1PR01MB8623:EE_
X-MS-Office365-Filtering-Correlation-Id: 8b185427-3860-4d55-5e2c-08dbe0663bbe
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0
X-Microsoft-Antispam-Message-Info-Original: uZPqrgsE1Gn/xJsBI0hjv+ADYOEu+88xesWWCGPxHseW8M+7SEMwuIJR06shKGy3GVg/3pEoDfUGqXXpN7sRcflY4J4klHOYnL2qAw+e2oP2xnHlewj/YWL3uIowNMcUZ3b7pDQ/QoaxFe4yFYVKH2LdCiCfBeJKL9TMKmakQ7IurJgmrbS57w+aaEoUDAERGWGasmntrXptUrFCP+qm9na3o+c4GnuOnhyh3aCjLC9bP38K1Q+GoEPTqMxkc/p+4hjias9xvOF3kHEryBfqSFkrdx7s77gJRqT1XK0GrUZ1ActxfFp9vfK8VjNayKN9qtaCl22fe/tw71IKpxTtAS1guJL+3YjpQ4BUBCb8iUP3yD+D1kBr4qu2WqaRhlrWr4yCW3qBHY9zcQQ4FBNbi0tgnAMtPTF9RVxOHI2HrlIYMLC4erpO0CBGtm4GTy/PX1A+7u54eXWvO25jjEf7w+uV092FXdlid3gGc+qhCGYutGOzwf5hbhfTRPVudGpDbVaeMJ6DBpXc0zcxMrgbfLJz+CbzKckR2TISoP6ZpGI6RMpYAtUMHEiPDOJBkjts8sV/avOzQP2y3gACoRvgjgD0TDw0FdSLGXXBabHjyMuZ+5KLGecJFUTvh12IuvcH
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR07MB4651.namprd07.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230031)(346002)(366004)(136003)(376002)(396003)(39860400002)(230922051799003)(64100799003)(451199024)(1800799009)(186009)(38070700009)(66899024)(33656002)(40140700001)(55016003)(66446008)(83380400001)(5660300002)(52536014)(4743002)(8936002)(66476007)(26005)(64756008)(316002)(66556008)(6916009)(66946007)(76116006)(2906002)(478600001)(9686003)(41300700001)(966005)(71200400001)(7696005)(6506007)(8676002)(122000001)(86362001)(38100700002)(1406899027);
DIR:OUT; SFP:1101
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR07MB9991
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: rocketsoftware.com
Content-Language: en-US
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: CO1PEPF000044F1.namprd05.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: b3c3a8c8-9f80-4a72-5ccf-08dbe066381f
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: QQu1lsQt+KKb1NzK29nXx11r6Vzyb21m71YxehDIAk2HqyF1ev1w+lWFnBA1MCT/NjV6i4DwOxJ0akPNmyTnviXBrYkNjc22GMbjcpQ3r9Wh4UaawzhV04Fgten13Py24JV5W2h4j8en/ZYwVLuTI3DMu7S2Nf4SLr0L/GEqP0A3vKMSqWtWNosGOmm3Kbd3hYJMsgricl6fCHBHGY+CqIXLkWZVT8XS9QRPkI5ufThstQILsxQ6r1IdAQ/fZockNgZ2cAaRD8J+rDnrFg5vfKNkkLKgEgIq6CTpQK18UgVVEjp2X2EB86t/DtOX+QXH+BBdjDBt+ZMBBoKl6va0fmxCx0VUfFVxUXdfC71jafXH9ebPyY/W4KiYJhGVys2oqqvaZyckRM5qPymkUg+QadyCeoRL0Yqzun4mjv2pPTahLC5pA/MZ7/Di4/QC/q0xaxB0Wt7Wt0mxftE71IcNCLTsvZulqd8CyB1FIBWD7reOdns+tklriLuj3B1lxdekhIwyLKwUAS2LViSmhNXg8jiUHuhT0lLQNZUOvr4P3Y2NRaS6HNd98LZJBiGZyj+hMRanFIu3VKK5TvdqcEnPf5MXwFpeEf+OWHZnwYIcIi2og8PEVyhi9rwtA2bvs8aZaRonneDxHWcXZb7fRU/KXwZ0qIVj6VKXugM2iWivw8stRUDGyllxqofCK+9TC4cT+RphjJxsaRo7zfPLoXBULfQT9jnrGUErNYbrov9ZjHI=
X-Forefront-Antispam-Report: CIP:170.10.129.127; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-127.mimecast.com;
PTR:us-smtp-delivery-127.mimecast.com; CAT:NONE;
SFS:(13230031)(4636009)(136003)(346002)(376002)(396003)(39860400002)(64100799003)(451199024)(61400799006)(48200799006)(55016003)(66899024)(966005)(498600001)(7636003)(33656002)(86362001)(40140700001)(7596003)(356005)(83380400001)(6506007)(7696005)(68406010)(26005)(70586007)(9686003)(52536014)(336012)(5660300002)(6862004)(2906002)(316002)(8676002)(786003)(1406899027);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2023 14:23:09.3549 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b185427-3860-4d55-5e2c-08dbe0663bbe
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044F1.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB8623
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Wed, 08 Nov 2023 12:53:36 -0500
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <DM6PR07MB4651D6917435E9AF74528364BBA8A@DM6PR07MB4651.namprd07.prod.outlook.com>
 by: JianJun Li - Wed, 8 Nov 2023 14:23 UTC

Hi everyone,

We have an application with Windows client + AD domain, for S4USelf, it works well.

In our application, it calls LSALogonUser() to impersonate a user which will use S4USelf by setting up Windows structure KERB_S4U_LOGON.

Now we wants to switch from Windows AD to MIT KDC. Currently windows can be authenticated by MIT KDC without any problem but Windows API LSALogonUser() in our application fails.

Problem 1:
When LSALogonUser() is called, it has following error:

Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0, host/win11client.mylab.com@MYLAB.COM<mailto:host/win11client.mylab.com@MYLAB.COM> for host\/win11client.mylab.com@MYLAB.COM, Server not found in Kerberos database

In fact, principle "host/win11client.mylab.com@MYLAB.COM<mailto:host/win11client.mylab.com@MYLAB.COM>" exists. By Wireshark I can see Windows sends "host/win11client.mylab.com@MYLAB.COM<mailto:host/win11client.mylab.com@MYLAB.COM>" as sname, KDC converts the sname to host\/win11client.mylab.com@MYLAB.COM.
I have a look at the code but find no parameters or setting can change this behavior.

Problem 2:
Sometimes, AS-REQ and TGS-REQ are all ok in MIT KDC but on Windows, it reports this error in Windows Event Viewer after call LSALogonUser():

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client user in realm MYLAB.COM could not be validated.
This error is usually caused by domain trust failures; Contact your system administrator.

I also test "kvno -U user" on the same windows machine, and it works.

>From MIT Kerberos document, I can see S4U can be supported. My question is that for S4U, does MIT KDC have interoperability with Windows API? Any feedback will be greatly appreciated.

I'm a newbie in Kerberos, thanks for your help!

Regards

===============================Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA 02451 ? Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
===============================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor