How can I check this bind compatibility? The server is a windows 2008 so
I assumed it just used kerberos when I added the vista pc to the domain.
Yes, I have the same visible behavior with an xp client although I could
not check wireshark on port 88 because the xp is connected via vpn.
thanks,
Lieven
Tim Neto wrote:
How is the Vista machine bound to the Active Directory domain? NTLM
compatibility? Does the same behavior occur with an XP client?
----------------------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer SMS Construction and Mining Systems Inc.
E-M: tneto@xxxxxxxxxxx 5985 McLaughlin Road
Ph#: 905-283-2770 x265 Mississauga, Canada
Fax: 905-283-2779 L5R 1B8
----------------------------------------------------------------------
On 5/11/2010 8:27 AM, lieven wrote:
Hello again,
This time, I got access to a pc in the AD domain.
When I monitor for both udp and tcp port 88, there is krb communication
to be seen but it doesn't look right.
From AD server to client I see the following error:
krb5kdc_err_s_principal_unknown
It looks like this: (only krb5 and some tcp lines)
1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown
2. client -> server: AS-REQ
3. server -> client: KRB Error: krb5kdc_err_preauth_required
4. client -> server: AS-REQ
5. server -> client: AS-REP
6. client -> server: AS-REQ
7. server -> client: KRB Error: krb5kdc_err_preauth_required
...{4-7} X7
this sequence, starting from 3 is repeated a few times, as many times as
I had to enter credentials in IE popup.
Here is a detail from the error packet principal unknown:
No. Time Source Destination Protocol
Info
6 0.009940 X.X.X.X X.X.X.X KRB5 KRB
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6 (179 bytes on wire, 179 bytes captured)
Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
Dell_48:f3:90 (00:24:e8:48:f3:90)
Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
(65248), Seq: 1, Ack: 1660, Len: 125
Kerberos KRB-ERROR
Record Mark: 121 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2010-05-11 10:44:11 (UTC)
susec: 313474
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: DOMAIN.LOCAL
Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squid3-proxy.domain.local
On this client pc, it is a windows vista, I have different kerberos
tickets: (as per kerbtray)
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
The encryption types are for all tickets:
Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
type)
The client principal is userid@xxxxxxxxxxxx
I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
lookup of the requested site and then a reply from the adserver (also
dns) with the ip of the site.
I don't see any lookup of the proxy-server fqdn that is put as the
connection proxy setting in the browser. (it is
squid3-proxy.domain.local)
Next, I tried to follow the requests on port 3128 tcp to the proxyserver:
1) the client requests a webpage to the proxyserver on port 3128: "GET
http://www.google.be/ HTTP/1.1" (http protocol)
2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication
Requied (text/html)"
3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 ,
NTLMSSP_NEGOTIATE"
Between each point there is some tcp syn/ack/fin traffic which I can
post if needed.
The last 2 points are repeated a few times where the proxy requests
authentication, expecting kerberos and the client responding with ntlm
for some reason.
In Firefox, It is the same as IE, proxy auth required followd by an
ntlmssp_negotiate from the client.
Why I don't get kerberos to work is a mistery to me as it seems to work
in the domain itself when computers authenticate to get access to shares
etc...
Any clues welcome.
thanks,
Lieven
WARNING: This electronic transmission contains confidential information,
intended only for the person(s) named above, and is privileged. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or any other use of this email is
strictly prohibited. If you have received this transmission by error,
please notify us immediately by return email and destroy the original
transmission immediately and all copies thereof.
AVIS IMPORTANT: Cette transmission électronique est strictement réservée
à l'usage de la (des) personne(s) à qui elle est adressée et contient
des informations privilégiées et confidentielles. Toute divulgation,
distribution, copie, ou autre utilisation de cette transmission par une
autre personne est strictement prohibée. Si vous avez reçu ce courriel
par erreur, veuillez s'il vous plaît en aviser immédiatement
l'expéditeur par courriel et détruire tout exemplaire ou copie de la
transmission originale.
--
Please Visit us at V-ICT-OR shopt IT
25 May 2010 - De Montil - Affligem
Lieven De Puysseleir
BA N.V. - http://www.ba.be
Dalemhof 28, 3000 Leuven
tel: 0032 (0)16 29 80 45
begin:vcard
fn:Lieven De Puysseleir
n:De Puysseleir;Lieven
org:BA n.v.;IT Support Desk
adr:;;Dalemhof 28;Leuven;Vlaams-Brabant;3000;Belgium
email;internet:lieven@xxxxx
title:IT Support
tel;work:016 29 80 45
tel;fax:016 29 80 46
x-mozilla-html:FALSE
url:www.ba.be
version:2.1
end:vcard
