Hello again,
This time, I got access to a pc in the AD domain.
When I monitor for both udp and tcp port 88, there is krb communication
to be seen but it doesn't look right.
From AD server to client I see the following error:
krb5kdc_err_s_principal_unknown
It looks like this: (only krb5 and some tcp lines)
1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
2. client -> server: AS-REQ
3. server -> client: KRB Error: krb5kdc_err_preauth_required
4. client -> server: AS-REQ
5. server -> client: AS-REP
6. client -> server: AS-REQ
7. server -> client: KRB Error: krb5kdc_err_preauth_required
...{4-7} X7
this sequence, starting from 3 is repeated a few times, as many times as
I had to enter credentials in IE popup.
Here is a detail from the error packet principal unknown:
No. Time Source Destination Protocol
Info
6 0.009940 X.X.X.X X.X.X.X KRB5 KRB
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6 (179 bytes on wire, 179 bytes captured)
Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
Dell_48:f3:90 (00:24:e8:48:f3:90)
Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
(65248), Seq: 1, Ack: 1660, Len: 125
Kerberos KRB-ERROR
Record Mark: 121 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2010-05-11 10:44:11 (UTC)
susec: 313474
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: DOMAIN.LOCAL
Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squid3-proxy.domain.local
On this client pc, it is a windows vista, I have different kerberos
tickets: (as per kerbtray)
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
The encryption types are for all tickets:
Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type)
The client principal is userid@xxxxxxxxxxxx
I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
lookup of the requested site and then a reply from the adserver (also
dns) with the ip of the site.
I don't see any lookup of the proxy-server fqdn that is put as the
connection proxy setting in the browser. (it is squid3-proxy.domain.local)
Next, I tried to follow the requests on port 3128 tcp to the proxyserver:
1) the client requests a webpage to the proxyserver on port 3128: "GET
http://www.google.be/ HTTP/1.1" (http protocol)
2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
Requied (text/html)"
3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
NTLMSSP_NEGOTIATE"
Between each point there is some tcp syn/ack/fin traffic which I can
post if needed.
The last 2 points are repeated a few times where the proxy requests
authentication, expecting kerberos and the client responding with ntlm
for some reason.
In Firefox, It is the same as IE, proxy auth required followd by an
ntlmssp_negotiate from the client.
Why I don't get kerberos to work is a mistery to me as it seems to work
in the domain itself when computers authenticate to get access to shares
etc...
Any clues welcome.
thanks,
Lieven
--
Please Visit us at V-ICT-OR shopt IT
25 May 2010 - De Montil - Affligem
Lieven De Puysseleir
BA N.V. - http://www.ba.be
Dalemhof 28, 3000 Leuven
tel: 0032 (0)16 29 80 45
begin:vcard
fn:Lieven De Puysseleir
n:De Puysseleir;Lieven
org:BA n.v.;IT Support Desk
adr:;;Dalemhof 28;Leuven;Vlaams-Brabant;3000;Belgium
email;internet:lieven@xxxxx
title:IT Support
tel;work:016 29 80 45
tel;fax:016 29 80 46
x-mozilla-html:FALSE
url:www.ba.be
version:2.1
end:vcard
