[38687] in Kerberos
MIT Kerberos 4.0.1 restrictions
daemon@ATHENA.MIT.EDU (=?utf-8?B?0JzQsNC60YHQuNC8?=)
Mon Feb 24 11:28:27 2020
From: =?utf-8?B?0JzQsNC60YHQuNC8?= <tm-email@ya.ru>
Envelope-From: tm-email@yandex.ru
To: kerberos@mit.edu
Date: Mon, 24 Feb 2020 18:59:40 +0300
Message-ID: <8685431582559980@vla4-d1c3bcedfacb.qloud-c.yandex.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
<div><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Hi!</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transfor!
m:none;white-space:normal;word-spacing:0px">We develop ASP.NET MVC portal that interacts with Oracle 12c using ODP.NET</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">12.2.1100 managed driver. ODP.NET uses MIT Kerberos 4.0.1 to connect to</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="ba!
ckground-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Oracle via Kerberos. According to the documentation, we configured the</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">database connection using Kerberos. Everything works well, but only for a</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text!
-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">part of Active Directory users while the other part gets the ora-12631 error.</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Numerous experiments on problem users have sho!
wn that they are all included</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">in a large number of Active Directory security groups, and if the problem</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initia!
l;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">user is excluded from certain Active Directory groups, the connection to the</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">database via Kerberos passes without problems. It was found that the Kerberos</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:nor!
mal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">token for problem users has a larger size in relation to other users. The</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Kerberos token is passed from the client to the web server (IIS in our case)</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-siz!
e:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">in the http header. Accordingly, we maximized the value of the MaxTokenSize</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">par!
ameter on the client and on the server, but this did not help. On the</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">server, we increased the values of the MaxFieldLength and MaxRequestBytes</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font!
-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">parameters to the maximum, but this did not help. We completely disabled the</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">antivirus SOFTWARE on both the client and server, but it didn't help.</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;tex!
t-transform:none;white-space:normal;word-spacing:0px" /><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">In accordance with all of the above, can MIT Kerberos 4.0.1 have restrictions</span><br style="background-color:rgb( 255 , 255 , 255 );color:rgb( 0 , 0 , 0 );font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" /><span style="background-color:#ffffff;color:#000000;float:none;font-family:'arial' , sans-serif;font-size:15px;font-style:normal;font-weight:400;text!
-decoration-style:initial;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">on the size of the Kerberos token?</span></div>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
