0

We have two different applications in our network, both use Kerberos to authenticate users. One of them makes problems when the max. ticket lifetime has expired.

Successful request with application x:

AS-REQ =>
    <= KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ => 
    <= AS-REP

Unsuccessful request with application y:

AS-REQ =>
    <= KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ =>
    <= KRB5KDC_ERR_PREAUTH_FAILED

The only difference we can see in network captures is that app x uses NT-PRINCIPAL, while app y uses NT-ENTERPRISE. App y runs on Java 1.6, so the preauth bug from earlier versions shouldn't occur.

Any ideas are highly appreciated.

Michael Böckling
  • 7,341
  • 6
  • 55
  • 76
  • It could fail due to an unsupported encryption algorithm used for the pre-authentication message. – Marko Topolnik Oct 10 '12 at 15:05
  • Thats interesting, I noticed AD seems to use des-cbc-md5, but we're only using rc4-hmac for our config. Do we have to include that algo in the keytab crypto generation options, or in krb5.conf? – Michael Böckling Oct 10 '12 at 15:37
  • It would be good to be clear about what the AD actually supports and then configure krb5.conf accordingly. For a start, configure to use des-cbc-md5 if you know that one works. DES is weak by today's standards so you should avoid it. Note also that an AD user account can be specifically configured to only use DES in order to interoperate with antiquated clients. – Marko Topolnik Oct 10 '12 at 15:42
  • We configured RC4-HMAC for our keytabs and krb5 config, and it seems to work ok. Its only when the ticket expires that we run into problems. Does that make any sense to you? – Michael Böckling Oct 10 '12 at 15:53
  • Do you do the initial pre-authentication? Pre-auth has its own config, as far as I remember. – Marko Topolnik Oct 10 '12 at 15:56
  • There's another thing that sounds odd to me: pre-auth should only happen at the client side, and there you don't use keytabs. The keytab is not involved in pre-auth at all. – Marko Topolnik Oct 10 '12 at 16:08

1 Answers1

0

I think that the solution to this issue was to re-generate our keytabs with the "/crypto All" option, but I'm not 100% sure. At least we had no more complaints after that.

Michael Böckling
  • 7,341
  • 6
  • 55
  • 76