How can I check this bind compatibility? The server is a windows 2008 so
I assumed it just used kerberos when I added the vista pc to the domain.
Yes, I have the same visible behavior with an xp client although I could
not check wireshark on port 88 because the xp is connected via vpn.
thanks,
Lieven
Tim Neto wrote:
> How is the Vista machine bound to the Active Directory domain? NTLM
> compatibility? Does the same behavior occur with an XP client?
>
> ----------------------------------------------------------------------
> Timothy E. Neto
> Computer Systems Engineer SMS Construction and Mining Systems Inc.
> E-M: tneto_at_smscons.com 5985 McLaughlin Road
> Ph#: 905-283-2770 x265 Mississauga, Canada
> Fax: 905-283-2779 L5R 1B8
> ----------------------------------------------------------------------
>
>
> On 5/11/2010 8:27 AM, lieven wrote:
>> Hello again,
>>
>> This time, I got access to a pc in the AD domain.
>>
>> When I monitor for both udp and tcp port 88, there is krb communication
>> to be seen but it doesn't look right.
>> From AD server to client I see the following error:
>> krb5kdc_err_s_principal_unknown
>>
>> It looks like this: (only krb5 and some tcp lines)
>> 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
>> 2. client -> server: AS-REQ
>> 3. server -> client: KRB Error: krb5kdc_err_preauth_required
>> 4. client -> server: AS-REQ
>> 5. server -> client: AS-REP
>> 6. client -> server: AS-REQ
>> 7. server -> client: KRB Error: krb5kdc_err_preauth_required
>> ...{4-7} X7
>>
>> this sequence, starting from 3 is repeated a few times, as many times as
>> I had to enter credentials in IE popup.
>>
>> Here is a detail from the error packet principal unknown:
>> No. Time Source Destination Protocol
>> Info
>> 6 0.009940 X.X.X.X X.X.X.X KRB5 KRB
>> Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>>
>> Frame 6 (179 bytes on wire, 179 bytes captured)
>> Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
>> Dell_48:f3:90 (00:24:e8:48:f3:90)
>> Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
>> Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
>> (65248), Seq: 1, Ack: 1660, Len: 125
>> Kerberos KRB-ERROR
>> Record Mark: 121 bytes
>> Pvno: 5
>> MSG Type: KRB-ERROR (30)
>> stime: 2010-05-11 10:44:11 (UTC)
>> susec: 313474
>> error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
>> Realm: DOMAIN.LOCAL
>> Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
>> Name-type: Service and Instance (2)
>> Name: HTTP
>> Name: squid3-proxy.domain.local
>>
>> On this client pc, it is a windows vista, I have different kerberos
>> tickets: (as per kerbtray)
>>
>> DOMAIN.LOCAL
>> |_ cifs/adserver1.domain.local
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ krbtgt/DOMAIN.LOCAL
>> |_ LDAP/adserver1.domin.local/domain.local
>> |_ ProtectedStorage/adserver1.domain.local
>>
>> The encryption types are for all tickets:
>> Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
>> type)
>>
>> The client principal is userid_at_DOMAIN.LOCAL
>>
>>
>> I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
>> lookup of the requested site and then a reply from the adserver (also
>> dns) with the ip of the site.
>> I don't see any lookup of the proxy-server fqdn that is put as the
>> connection proxy setting in the browser. (it is
>> squid3-proxy.domain.local)
>>
>>
>>
>> Next, I tried to follow the requests on port 3128 tcp to the proxyserver:
>>
>> 1) the client requests a webpage to the proxyserver on port 3128: "GET
>> http://www.google.be/ HTTP/1.1" (http protocol)
>> 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
>> Requied (text/html)"
>> 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
>> NTLMSSP_NEGOTIATE"
>>
>> Between each point there is some tcp syn/ack/fin traffic which I can
>> post if needed.
>>
>> The last 2 points are repeated a few times where the proxy requests
>> authentication, expecting kerberos and the client responding with ntlm
>> for some reason.
>>
>> In Firefox, It is the same as IE, proxy auth required followd by an
>> ntlmssp_negotiate from the client.
>>
>>
>>
>> Why I don't get kerberos to work is a mistery to me as it seems to work
>> in the domain itself when computers authenticate to get access to shares
>> etc...
>>
>> Any clues welcome.
>>
>> thanks,
>>
>> Lieven
>>
>>
>
> WARNING: This electronic transmission contains confidential information,
> intended only for the person(s) named above, and is privileged. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or any other use of this email is
> strictly prohibited. If you have received this transmission by error,
> please notify us immediately by return email and destroy the original
> transmission immediately and all copies thereof.
>
> AVIS IMPORTANT: Cette transmission électronique est strictement réservée
> à l'usage de la (des) personne(s) à qui elle est adressée et contient
> des informations privilégiées et confidentielles. Toute divulgation,
> distribution, copie, ou autre utilisation de cette transmission par une
> autre personne est strictement prohibée. Si vous avez reçu ce courriel
> par erreur, veuillez s'il vous plaît en aviser immédiatement
> l'expéditeur par courriel et détruire tout exemplaire ou copie de la
> transmission originale.
>
-- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45
This archive was generated by hypermail 2.2.0 : Tue May 11 2010 - 12:00:04 MDT