Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Extreme feminine beauty is always disturbing. -- Spock, "The Cloud Minders", stardate 5818.4

devel / comp.protocols.kerberos / RE: Question about Windows S4U support

SubjectAuthor
o RE: Question about Windows S4U supportJianJun Li

1
RE: Question about Windows S4U support

<mailman.47.1699509461.2263420.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=425&group=comp.protocols.kerberos#425

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jjli@rocketsoftware.com (JianJun Li)
Newsgroups: comp.protocols.kerberos
Subject: RE: Question about Windows S4U support
Date: Thu, 9 Nov 2023 01:36:11 +0000
Organization: TNet Consulting
Lines: 52
Message-ID: <mailman.47.1699509461.2263420.kerberos@mit.edu>
References: <DM6PR07MB4651D6917435E9AF74528364BBA8A@DM6PR07MB4651.namprd07.prod.outlook.com>
<202311081916.3A8JGiOG013874@hedwig.cmf.nrl.navy.mil>
<DM6PR07MB465176E57F2D96014DEF31FBBBAFA@DM6PR07MB4651.namprd07.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="15738"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=ERtFlZ+L;
dkim=pass (1024-bit key,
unprotected) header.d=rocketsoftware.com header.i=@rocketsoftware.com
header.a=rsa-sha256 header.s=mimecast20200430 header.b=BB5q5yJz
Authentication-Results: mit.edu; dmarc=pass (p=none dis=none)
header.from=rocketsoftware.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1699493785; cv=pass;
b=o9P4cZyVQhDc7ffYiVOmeikCq1pvowGM+loIAnI5nxg0tx5WA8jKlWB+O+Mn3SM4+r0fnlEI6LEdhZfvZbLj8KKzHl/ra/RWF9LL42Q/aSQpoX5gPl1C2rjz8+jLmi2C234V8TcLz5NsvwCs6TgUu1bWjj5+hEXEk14cgo4dsxogaeD35df93Eqn2txHSE8NDr+ikDZnShvtz3xqxCYAH6Z4aP2UUS5Jyme/z5TgVT1npzU3KI2bZCPXcNNdYNb5VwBlfBOIzdJEM3dgHLpsX/9c4etaZaXWScsXgC07TK046wT/eT4gju/+WBI+IXW7ApjCNlk8Kv3eu3iuV/uzYw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1699493785;
c=relaxed/relaxed; bh=hcJ/5jj705EwKRYrL2I0eexGBDS/3rwjeWXnEeKjz20=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=NuKnN63LOAH0BIf0SNo2yfgGC7dcCHPA4HknSdaw3/AXOTwLIu3UhtIanc2uAsn4HrchlQ5VdmwZllMYVyqVrixSb7Ks2i+pAJl2acvh/PMH0Gd3PvjiZLjsiLqV7wQnfn2+f8PYaQ2K9bDLJl2AaNJboTtj+7D8/7SJsxB8L+Er+uxsh8oouqUwVw+ADc0RhbL2Yp/Egk80nMNuxr0qe7djJ2sAygjDNHBvCLTVAHQ9ditcCIqzMsF+ay6clFEffcF6m9UwH31dvK5PaR7p/i9LYXfb1cBOxjBevQXyEV5D16Elmqp91iqaqqjKjDZ6LgJxnKKqmqp/sT1WhurqVQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=ERtFlZ+L;
dkim=pass (1024-bit key;
unprotected) header.d=rocketsoftware.com header.i=@rocketsoftware.com
header.a=rsa-sha256 header.s=mimecast20200430 header.b=BB5q5yJz
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=ERtFlZ+L;
dkim=pass (1024-bit key;
unprotected) header.d=rocketsoftware.com header.i=@rocketsoftware.com
header.a=rsa-sha256 header.s=mimecast20200430 header.b=BB5q5yJz
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=LcmMeBwf7CICQZ26MLwYarmfa/CJWLX4T6UhZjupwDdwYVpWpaA92CgiPOmuk1C/XZiUF5/0kU1syoNBvXWWb0B05RboOFZkPuqyL7iEl2rX1zE+Qc+W8cppC/VGxu8vF7onDYxt1rO4XApEhwSdG7hNWWxTlA7O3IY5TH0EICRaJ6ftIQunEMr2Pnm/mwd9nEetstU7+04LzJLN6jKF6ryvMupT/sFag37h1WGHTILTQDvQ21ZKb5KdAB2/svq1CsUlHT3dpS1/3DnmNY8IDYc93F83GYXw0G8BWuoHeyc9s4k51SxuLI9NFgDZQhZoHECsFBZb5lGTHjF6/ys14w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=hcJ/5jj705EwKRYrL2I0eexGBDS/3rwjeWXnEeKjz20=;
b=XlL7Hc0gRMD7Swkr6CaShvDyW/kBvWZc99//ceiXt/x3aNDQG1ZpUggB3NQ9qaS8OYlGnQ0kb3u2LWkwdIEd2ORCFK+AX5pH+9CFxz03g3ooAJFLCEAxJ6FMPtCop3j2ZfOirhAiQf8Ls9zyird9UQrTVum5yN9hTsUST9VE0sY9PxLUpws0P/bj2vXgSB48G9PMgCza2RUSkSPbBuJwhHZ9O5SjI5UcmLXBoueyMtpZ1fPAyZNG3daZkVAk5TNBsGrJ3DFqdfsOcf7Cn+cs17R5u37/nUa9Ta8F1yRtiNeDSpngwLmuVYok2CEIqyEiO5XCFwBvAu3M2+S7RllQDw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.133.127) smtp.rcpttodomain=mit.edu smtp.mailfrom=rocketsoftware.com;
dmarc=pass (p=none sp=none pct=100) action=none
header.from=rocketsoftware.com; dkim=pass (signature was verified)
header.d=rocketsoftware.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=hcJ/5jj705EwKRYrL2I0eexGBDS/3rwjeWXnEeKjz20=;
b=ERtFlZ+LELPh17Rna0t8YLFO3x1XdMp9GU/wdEZ7LDRmY48JjEbg2CxOonyL+KFam3Bxt4EPMv8Z6sLce6GdGTrmP6JGEZnd3tkklS+KNRgpOLiPsa2p2CdiuE6G0R546Jdm3qLfR73sTd0mAvvRszdxhTkI8YiIwc8nxXcSWbI=
Authentication-Results: spf=pass (sender IP is 170.10.133.127)
smtp.mailfrom=rocketsoftware.com; dkim=pass (signature was verified)
header.d=rocketsoftware.com;dmarc=pass action=none
header.from=rocketsoftware.com;
Received-SPF: Pass (protection.outlook.com: domain of rocketsoftware.com
designates 170.10.133.127 as permitted sender)
receiver=protection.outlook.com; client-ip=170.10.133.127;
helo=us-smtp-delivery-127.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rocketsoftware.com;
s=mimecast20200430; t=1699493780;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=hcJ/5jj705EwKRYrL2I0eexGBDS/3rwjeWXnEeKjz20=;
b=BB5q5yJzAKGXn9wiZfpK+MIR4pbNVv+viK4oIlDzUz0WXwB63Srz8jKyM51HRMKLMj/rnB
SKnts5EBj5VgjijrGqEFmwgbVGXLBBbcZZW5pCU18vemZNiU9OZ0ZumUIn0zeTpXE4OBVF
BQWzPXnPf0yme4C9lHdQ/XRIfF2fEVk=
X-MC-Unique: 7b_7IK1XNNOwsYtbsOCP3A-2
Thread-Topic: Question about Windows S4U support
Thread-Index: AdoSLbm8LH8Wv1KmSUy58Exoj8p1YgASmHqAAAxg1wA=
In-Reply-To: <202311081916.3A8JGiOG013874@hedwig.cmf.nrl.navy.mil>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-traffictypediagnostic: DM6PR07MB4651:EE_|SJ0PR07MB7614:EE_|BL6PEPF0001AB71:EE_|DS7PR01MB7878:EE_
X-MS-Office365-Filtering-Correlation-Id: 3a33c2cb-bea5-46cc-a90c-08dbe0c4467e
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0
X-Microsoft-Antispam-Message-Info-Original: bof7aYv69kMpxm/XdhVcGVQu+oPwtCW1Rw6e5pIlsa9yFDEtjgHUWZdAZJL8BX5HQ37xxJGT/GJOSSMNxRA9EVpAjoCC4IhydgXlzy14yER5aUbupOc3tJy665vAe1LzX5ybOfYi4on1djZg55ktbgqEHLhc/0DND6rZLUgh7xsYFvNGQrgccfhJ/CXU76v660FAGO7GaqChOGefDfMoO2wz1GfzqxFGTH365KuTxkeY+w+X81QMe0aaUPcNJgaWt6tj8aJKWX/rl80eV28XCW5ng7mLOEYxOwukxJLre8IHVIUpQfiB0R+hCdlOyPFgmZR1l1BvtRcpm1vZZJjILRCtY4WTjZXDko40IyBR4aIVUQI5Jrd8wa7Rmw6tqZGJlYbhsz8xfT2fGFreeoAgECEUzzkhxmsqexikY+VQU4GL47lQ74KIBlnxBlFX70xr4zUX5H1hxoA2RVL+FQ1VtnKqGoG8qtCwgwvINJFq+R1jjkX6PDw8oty6AVW9Hxx6FxY3NhuOQ2xFgN+lKiTlH6fhhC9+1nAg7OdnD83Hp3KRdiXlBS02eGqZfDkBSPiTwZW485zhend1ZsHnjbU8GyWciqFQXBMV10nf7+2nu5pFeW4t4RwI+XO3OU0IC+2iHQYn5Uk+4uWysMrUFzMUu6Y41J+PuNouN0RDyM+wZMw=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR07MB4651.namprd07.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230031)(39860400002)(136003)(346002)(376002)(366004)(396003)(230173577357003)(230922051799003)(230273577357003)(64100799003)(451199024)(1800799009)(186009)(8676002)(66899024)(8936002)(52536014)(6506007)(7696005)(53546011)(4326008)(86362001)(26005)(2906002)(38070700009)(33656002)(71200400001)(38100700002)(55016003)(40140700001)(5660300002)(64756008)(6916009)(316002)(66556008)(66446008)(66946007)(76116006)(66476007)(9686003)(41300700001)(966005)(83380400001)(478600001)(122000001);
DIR:OUT; SFP:1101
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR07MB7614
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: rocketsoftware.com
Content-Language: en-US
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: BL6PEPF0001AB71.namprd02.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: af9e4711-e31c-40f0-0915-08dbe0c4411d
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: DtxzUazQSTKjbF09Heg01m9iSaCnj8YbhlfgoLYYf1GbKSuJmfI3ff0SkLh7rjFQs/vNVO4mj8yKVaUIqPl1ffJg4TZeG+iBhicIkoXdzjjG6y35nWRcTX7zPqEx9Zf9IUBjIRsXY7iaVbfwLGmSEm0ZPNs39rpW1nd5PVRf+hb7iAI+JPBc2iijV9y7OzJvh6vGvxvrt6VHDMwE9E/sX3mW0ZjUaLKOJZfi8cApLdKcT7jwimqLhUYbqPjy0S0z1u3eqngUCIolZNBUzRcZ2WXC5Ce+nuICdZjk0CbWcgzmpdDiX7cldFx780ns5wSzSSiaB5o3ByQERINLsWKGGMyoYSDWrhoZ2m8iot4WRh4W79dLWTNJfi/1npHHA2skUplFvetFnhIpun23xboJ8Oeslim1Wo1Iq3DbeTSYk6S4zdTx3cS6nCrum+K3baNRRfvai//4GMVxhsB4wex2Kr6BfW+m1zUOPMij0rKamLbDoUd2CQTuLX5IoexXxIj0rZ/sMLLP9fM3JV73mUQ55SlGe7OweUpINQ1rv1qSMwvH7KIM3UvtgkCru46rkIY2HELzjB17qjp46+sVjQk4xH3EOBu+QL3QgfOl2HIC2giyn47uYftNocnxGfnIKweWLZMYy0EgIMyS+eqhiSkNLA2blqw+7y45AEcPgvCsKPzMsfDMhxZjFNCPykl8M2MY4GaAZqFRk+3RCBInev8hMS4zmrJn7EvJ9iajDJhbp+seosbvWFxHR6LNYd50NMnrwm766Vco4MAaFfiJE/XfjA==
X-Forefront-Antispam-Report: CIP:170.10.133.127; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-127.mimecast.com;
PTR:us-smtp-delivery-127.mimecast.com; CAT:NONE;
SFS:(13230031)(4636009)(396003)(346002)(39860400002)(376002)(136003)(230273577357003)(230173577357003)(61400799006)(451199024)(64100799003)(48200799006)(66899024)(40140700001)(33656002)(55016003)(6862004)(52536014)(8676002)(4326008)(2906002)(83380400001)(5660300002)(498600001)(53546011)(7696005)(26005)(316002)(336012)(68406010)(70586007)(786003)(966005)(9686003)(7596003)(7636003)(356005)(86362001)(6506007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Nov 2023 01:36:20.3506 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a33c2cb-bea5-46cc-a90c-08dbe0c4467e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB71.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR01MB7878
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from base64 to 8bit by mailman.mit.edu id 3A91aPup1768636
X-Mailman-Approved-At: Thu, 09 Nov 2023 00:57:39 -0500
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <DM6PR07MB465176E57F2D96014DEF31FBBBAFA@DM6PR07MB4651.namprd07.prod.outlook.com>
X-Mailman-Original-References: <DM6PR07MB4651D6917435E9AF74528364BBA8A@DM6PR07MB4651.namprd07.prod.outlook.com>
<202311081916.3A8JGiOG013874@hedwig.cmf.nrl.navy.mil>
 by: JianJun Li - Thu, 9 Nov 2023 01:36 UTC

Thank you Ken for the valuable feedback.

I'm using latest version V1.21 with its default backend DB. After the test, if all works, I will try the combination MIT KDC + OpenLDAP then.

There are not so much available materials I can refer to like my case. Sometimes I really doubt Windows S4U API may be not completely compatible with MIT KDC, but based on current investigation, I still can't draw any conclusions. That's why I post comments here.

Regards
Jianjun Li

-----Original Message-----
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Sent: Thursday, November 9, 2023 3:17 AM
To: JianJun Li <jjli@rocketsoftware.com>
Cc: kerberos@mit.edu
Subject: Re: Question about Windows S4U support

EXTERNAL EMAIL

I am DEFINITELY not an expert in S4U* nor Windows APIs, but I have looked into this a BIT and I can give you some thoughts.

>Now we wants to switch from Windows AD to MIT KDC. Currently windows
>can be authenticated by MIT KDC without any problem but Windows API
>LSALogonUser() in our application fails.

It should be noted that up front that there are some caveats to MIT Kerberos S4U support. The specific one that I am aware of is that you cannot use the db2 database (the default) as the KDC backend; you need to use the LDAP KDB module and configure a special attribute called "krbAllowedToDelegateTo" to configure a service principal to permit S4U2Self. I am not sure this is relevant to this discussion though.

>Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes
>{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
>UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0,
>host/win11client.mylab.com@MYLAB.COM<mailto:host/win11client.mylab.com@
>MYLAB.COM> for host\/win11client.mylab.com@MYLAB.COM, Server not found
>in Kerberos database

It's important to understand that INTERALLY Kerberos principals are represented as a sequence of one or more strings and a realm. So while you may see a principal in the form of "host/win11client@MYLAB.COM"
that's just the user representation. Really that's encoded on the wire as the strings "host" and "win11client", and the realm MYLAB.COM. If MIT Kerberos is displaying that as "host\/win11client@MYLAB.COM", then that means it's getting ONE string for that principal that contains "host/win11client" (the '/' is the traditional separator for strings in a Kerberos principal). I have no idea why that is happening, but that suggests to me that there is some problem on the client side.

--Ken

================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================

This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor