[23858] in Kerberos
Decrypting KRB_AS_REP ticket
daemon@ATHENA.MIT.EDU (Kallapur, Madhusudan V)
Mon May 9 17:24:06 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 10 May 2005 02:53:24 +0530
Message-ID: <612713304D0B0D4686D61B6EECF4E46B0210F60B@bgsmsx403>
From: "Kallapur, Madhusudan V" <madhusudan.v.kallapur@intel.com>
To: <Kerberos@mit.edu>
Content-Type: text/plain;
charset="us-ascii"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
I am trying to create a quick prototype for a kerberized service which
would look at the authorization data( with SID's) present in the service
ticket and accept/reject the service request. To start with, I created
an SPN in the active directory(windows 2003 Domain controller /KDC) for
this service using "ktpass" with -princ -mapuser options with -crypto
being RC4-HMAC-NT. Then I created a service ticket for this service
using "kinit -S service" option, I did this from a linux client in the
same domain with a user account. Now I am trying to decrypt the
KRB_AS_REP packet which contains the service ticket and get the
authorization data. I used the "krb5_arcfour_decrypt" API for the
decryption. I see that the decryption fails with
KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
the "ktpass" tool after it created the keytab file, to decrypt the
service ticket.
I am suspecting that the key used by the KDC for generating this service
request may be different than the one thrown out by "ktpass".
Has anyone seen this before ? Does anyone know why this is not working ?
Any help/suggestions would be greatly appreciated.
Thanks,
Madhu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
