[19857] in Kerberos_V5_Development
Re: TGS granting
daemon@ATHENA.MIT.EDU (moore moore)
Thu Nov 8 10:59:19 2018
Date: Thu, 8 Nov 2018 09:59:45 +0000 (UTC)
From: moore moore <moore_chestnut@yahoo.ie>
To: Derek Atkins <derek@ihtfp.com>
Message-ID: <1874063626.1396205.1541671185695@mail.yahoo.com>
In-Reply-To: <1096762613.3405289.1541545920035@mail.yahoo.com>
MIME-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Derek,
After some further research, if I understand a bit better, the AP request between proxy and service is being delivered over SPNEGO.It is incorrect to think that it would have been explicitly visible in the trace between proxy and KDC, since it will be in the HTTP request from proxy to server.
Maybe the following is the reason I get so many 401 reauths from the server:
From 3.2.2. Generation of a KRB_AP_REQ Message in RFC4120
"Authenticators MUST NOT be re-used and SHOULD be rejected if replayed to a server."
So if I understand based on your previous info also, would the following be on the correct path:
- cache the service ticket- on reauths, generate new authenticator and reuse a cached service ticket- somehow encapsulate the service ticket and NEW authenticator into AP REQ- deliver over SPNEGO to the server on kerberised server.- thus eliminating the need for excessive round trips from proxy to KDC
If this is practical, I will try figure out the kerb library API.
Appreciate your help.
On Tuesday 6 November 2018, 23:12:00 GMT, moore moore <moore_chestnut@yahoo.ie> wrote:
Hello Derek,Thanks again for the helpful information..
Time skew is not present and the service ticket is cached.
OK, so at the moment, everytime there is a 401 from the kerberised windows server, the application process (on the proxy), goes to the KDC.
In wireshark, this always shows as a TGS-REQ/TGS-RSP
I never see a AP-REQ/AP-RSP in the trace/wireshark.BUT, but looking the kerberos library logs, I see it mentioned there.And then I checked tcpdump and I see AP-REQ as a value in some of the TGS-REQs.
Sample kerb log below.
Here there is
- AS-REQ and pre auth requested for proxy@test.com user.
- AS-REQ and RSP for proxy@test.com user.
- Sample TGS-REQ/RSP for testuser@test.com ( can see AP-REQ) in log.
This is between proxy and KDC.So not sure, if I can get some data/token from this? and use between proxy and service.Which is over HTTP SPNEGO.
Is the sample code/api documentation you could refer me to so I could try understand how to build and use the AP-REQ?
Thank you for your time.
[14791] 1538167075.224560: Getting initial credentials for proxy@test.com
[14791] 1538167075.225189: Looked up etypes in keytab: rc4-hmac
[14791] 1538167075.225577: Sending request (177 bytes) to TEST.COM
[14791] 1538167075.225915: Resolving hostname 172.21.162.211
[14791] 1538167075.226408: Sending initial UDP request to dgram 172.21.162.211:88
[14791] 1538167075.227366: Received answer (214 bytes) from dgram 172.21.162.211:88
[14791] 1538167075.228299: Response was not from master KDC
[14791] 1538167075.228471: Received error from KDC: -1765328359/Additional pre-authentication required
[14791] 1538167075.228653: Processing preauth types: 16, 15, 19, 2
[14791] 1538167075.228829: Selected etype info: etype rc4-hmac, salt "", params ""
[14791] 1538167075.229021: Retrieving proxy@test.com from FILE:/etc/krb5.keytab (vno 0, enctype rc4-hmac) with result: 0/Success
[14791] 1538167075.229146: AS key obtained for encrypted timestamp: rc4-hmac/2163
[14791] 1538167075.229309: Encrypted timestamp (for 1538167075.859690): plain 301AA011180F32303138303932383230333735355AA10502030D1E2A, encrypted 717BCF6554C1F514AB6D86FB08D00E9BEA7EF1B56C6996DA76E0AB5D9812D5E0C4233E6DC88A7EEA6582FA5FDC22ADB86F95D178
[14791] 1538167075.229428: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[14791] 1538167075.229520: Produced preauth for next request: 2
[14791] 1538167075.229625: Sending request (251 bytes) to TEST.COM
[14791] 1538167075.229750: Resolving hostname 172.21.162.211
[14791] 1538167075.229923: Sending initial UDP request to dgram 172.21.162.211:88
[14791] 1538167075.230849: Received answer (98 bytes) from dgram 172.21.162.211:88
[14791] 1538167075.231488: Response was not from master KDC
[14791] 1538167075.231613: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[14791] 1538167075.231736: Request or response is too big for UDP; retrying with TCP
[14791] 1538167075.231832: Sending request (251 bytes) to TEST.COM (tcp only)
[14791] 1538167075.231927: Resolving hostname 172.21.162.211
[14791] 1538167075.232095: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.232374: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.233225: Received answer (1548 bytes) from stream 172.21.162.211:88
[14791] 1538167075.233701: Response was not from master KDC
[14791] 1538167075.233829: Salt derived from principal: TEST.COMproxy
[14791] 1538167075.233933: AS key determined by preauth: rc4-hmac/2163
[14791] 1538167075.234083: Decrypted AS reply; session key is: rc4-hmac/FAF6
[14791] 1538167075.234202: FAST negotiation: unavailable
[14791] 1538167075.234328: Initializing FILE:/tmp/krb5cc_0 with default princ proxy@test.com
[14791] 1538167075.234524: Removing proxy@test.com -> krbtgt/TEST.COM@TEST.COM from FILE:/tmp/krb5cc_0
[14791] 1538167075.234629: Storing proxy@test.com -> krbtgt/TEST.COM@TEST.COM in FILE:/tmp/krb5cc_0
[14791] 1538167075.234885: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/TEST.COM@TEST.COM: pa_type: 2
[14791] 1538167075.235039: Removing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: from FILE:/tmp/krb5cc_0
[14791] 1538167075.235143: Storing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0
[14791] 1538167075.241199: Getting credentials testuser@TEST.COM -> proxy@test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.241446: Retrieving testuser@TEST.COM -> proxy@test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.241571: Getting credentials proxy@test.com -> krbtgt/TEST.COM@TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.241755: Retrieving proxy@test.com -> krbtgt/TEST.COM@TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.241886: Get cred via TGT krbtgt/TEST.COM@TEST.COM after requesting proxy@test.com (canonicalize on)
[14791] 1538167075.241986: Generated subkey for TGS request: rc4-hmac/86EA
[14791] 1538167075.242096: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.242257: Encoding request body and padata into FAST request
[14791] 1538167075.242433: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.242534: Resolving hostname 172.21.162.211
[14791] 1538167075.242729: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.243002: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.244768: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.245459: Response was not from master KDC
[14791] 1538167075.245556: Decoding FAST response
[14791] 1538167075.245748: FAST reply key: rc4-hmac/F069
[14791] 1538167075.245871: TGS reply is for testuser@TEST.COM -> proxy@test.com with session key rc4-hmac/AEF0
[14791] 1538167075.245967: Got cred; 0/Success
[14791] 1538167075.246061: Resolving unique ccache of type MEMORY
[14791] 1538167075.246144: Initializing MEMORY:sAA7vI4 with default princ testuser@TEST.COM
[14791] 1538167075.246270: Removing proxy@test.com -> krbtgt/TEST.COM@TEST.COM from MEMORY:sAA7vI4
[14791] 1538167075.246347: Storing proxy@test.com -> krbtgt/TEST.COM@TEST.COM in MEMORY:sAA7vI4
[14791] 1538167075.246444: Removing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: from MEMORY:sAA7vI4
[14791] 1538167075.246520: Storing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: in MEMORY:sAA7vI4
[14791] 1538167075.246613: Storing config in MEMORY:sAA7vI4 for : proxy_impersonator: proxy@test.com
[14791] 1538167075.246737: Removing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from MEMORY:sAA7vI4
[14791] 1538167075.246813: Storing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:sAA7vI4
[14791] 1538167075.246891: Removing testuser@TEST.COM -> proxy@test.com from MEMORY:sAA7vI4
[14791] 1538167075.246963: Storing testuser@TEST.COM -> proxy@test.com in MEMORY:sAA7vI4
[14791] 1538167075.247319: Getting credentials testuser@TEST.COM -> proxy@test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.247489: Retrieving testuser@TEST.COM -> proxy@test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.247576: Getting credentials proxy@test.com -> krbtgt/TEST.COM@TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.247758: Retrieving proxy@test.com -> krbtgt/TEST.COM@TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.247863: Get cred via TGT krbtgt/TEST.COM@TEST.COM after requesting proxy@test.com (canonicalize on)
[14791] 1538167075.247953: Generated subkey for TGS request: rc4-hmac/F169
[14791] 1538167075.248043: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.248184: Encoding request body and padata into FAST request
[14791] 1538167075.248353: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.248448: Resolving hostname 172.21.162.211
[14791] 1538167075.248605: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.248931: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.250602: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.251358: Response was not from master KDC
[14791] 1538167075.251478: Decoding FAST response
[14791] 1538167075.251629: FAST reply key: rc4-hmac/E50D
[14791] 1538167075.251805: TGS reply is for testuser@TEST.COM -> proxy@test.com with session key rc4-hmac/F1B4
[14791] 1538167075.251901: Got cred; 0/Success
[14791] 1538167075.251999: Resolving unique ccache of type MEMORY
[14791] 1538167075.252080: Initializing MEMORY:2zEVGbO with default princ testuser@TEST.COM
[14791] 1538167075.252202: Removing proxy@test.com -> krbtgt/TEST.COM@TEST.COM from MEMORY:2zEVGbO
[14791] 1538167075.252276: Storing proxy@test.com -> krbtgt/TEST.COM@TEST.COM in MEMORY:2zEVGbO
[14791] 1538167075.252371: Removing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: from MEMORY:2zEVGbO
[14791] 1538167075.252448: Storing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: in MEMORY:2zEVGbO
[14791] 1538167075.252538: Storing config in MEMORY:2zEVGbO for : proxy_impersonator: proxy@test.com
[14791] 1538167075.252614: Removing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from MEMORY:2zEVGbO
[14791] 1538167075.252721: Storing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:2zEVGbO
[14791] 1538167075.252802: Removing testuser@TEST.COM -> proxy@test.com from MEMORY:2zEVGbO
[14791] 1538167075.252873: Storing testuser@TEST.COM -> proxy@test.com in MEMORY:2zEVGbO
[14791] 1538167075.253224: Getting credentials testuser@TEST.COM -> proxy@test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.253394: Retrieving testuser@TEST.COM -> proxy@test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.253482: Getting credentials proxy@test.com -> krbtgt/TEST.COM@TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.253634: Retrieving proxy@test.com -> krbtgt/TEST.COM@TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.253798: Get cred via TGT krbtgt/TEST.COM@TEST.COM after requesting proxy@test.com (canonicalize on)
[14791] 1538167075.253893: Generated subkey for TGS request: rc4-hmac/0FA7
[14791] 1538167075.253985: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.254128: Encoding request body and padata into FAST request
[14791] 1538167075.254285: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.254380: Resolving hostname 172.21.162.211
[14791] 1538167075.254531: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.254767: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.256452: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.257177: Response was not from master KDC
[14791] 1538167075.257272: Decoding FAST response
[14791] 1538167075.257422: FAST reply key: rc4-hmac/F998
[14791] 1538167075.257538: TGS reply is for testuser@TEST.COM -> proxy@test.com with session key rc4-hmac/6958
[14791] 1538167075.257633: Got cred; 0/Success
[14791] 1538167075.257759: Resolving unique ccache of type MEMORY
[14791] 1538167075.257845: Initializing MEMORY:mhj20wl with default princ testuser@TEST.COM
[14791] 1538167075.257968: Removing proxy@test.com -> krbtgt/TEST.COM@TEST.COM from MEMORY:mhj20wl
[14791] 1538167075.258044: Storing proxy@test.com -> krbtgt/TEST.COM@TEST.COM in MEMORY:mhj20wl
[14791] 1538167075.258140: Removing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: from MEMORY:mhj20wl
[14791] 1538167075.258224: Storing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: in MEMORY:mhj20wl
[14791] 1538167075.258330: Storing config in MEMORY:mhj20wl for : proxy_impersonator: proxy@test.com
[14791] 1538167075.258407: Removing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from MEMORY:mhj20wl
[14791] 1538167075.258478: Storing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:mhj20wl
[14791] 1538167075.258552: Removing testuser@TEST.COM -> proxy@test.com from MEMORY:mhj20wl
[14791] 1538167075.258623: Storing testuser@TEST.COM -> proxy@test.com in MEMORY:mhj20wl
[14791] 1538167075.258994: Getting credentials testuser@TEST.COM -> proxy@test.com using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.259163: Retrieving testuser@TEST.COM -> proxy@test.com from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[14791] 1538167075.259251: Getting credentials proxy@test.com -> krbtgt/TEST.COM@TEST.COM using ccache FILE:/tmp/krb5cc_0
[14791] 1538167075.259403: Retrieving proxy@test.com -> krbtgt/TEST.COM@TEST.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[14791] 1538167075.259503: Get cred via TGT krbtgt/TEST.COM@TEST.COM after requesting proxy@test.com (canonicalize on)
[14791] 1538167075.259593: Generated subkey for TGS request: rc4-hmac/1E3B
[14791] 1538167075.259709: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.259860: Encoding request body and padata into FAST request
[14791] 1538167075.260017: Sending request (2176 bytes) to TEST.COM
[14791] 1538167075.260113: Resolving hostname 172.21.162.211
[14791] 1538167075.260264: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.260492: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.262157: Received answer (1842 bytes) from stream 172.21.162.211:88
[14791] 1538167075.263296: Response was not from master KDC
[14791] 1538167075.263396: Decoding FAST response
[14791] 1538167075.263545: FAST reply key: rc4-hmac/C06A
[14791] 1538167075.263659: TGS reply is for testuser@TEST.COM -> proxy@test.com with session key rc4-hmac/A45B
[14791] 1538167075.263783: Got cred; 0/Success
[14791] 1538167075.263873: Resolving unique ccache of type MEMORY
[14791] 1538167075.263951: Initializing MEMORY:KH07w0C with default princ testuser@TEST.COM
[14791] 1538167075.264079: Removing proxy@test.com -> krbtgt/TEST.COM@TEST.COM from MEMORY:KH07w0C
[14791] 1538167075.264156: Storing proxy@test.com -> krbtgt/TEST.COM@TEST.COM in MEMORY:KH07w0C
[14791] 1538167075.264252: Removing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: from MEMORY:KH07w0C
[14791] 1538167075.264320: Storing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: in MEMORY:KH07w0C
[14791] 1538167075.264398: Storing config in MEMORY:KH07w0C for : proxy_impersonator: proxy@test.com
[14791] 1538167075.264464: Removing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from MEMORY:KH07w0C
[14791] 1538167075.264523: Storing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:KH07w0C
[14791] 1538167075.264588: Removing testuser@TEST.COM -> proxy@test.com from MEMORY:KH07w0C
[14791] 1538167075.264648: Storing testuser@TEST.COM -> proxy@test.com in MEMORY:KH07w0C
[14791] 1538167075.265171: Getting credentials testuser@TEST.COM -> proxy@test.com using ccache MEMORY:sAA7vI4
[14791] 1538167075.265276: Retrieving testuser@TEST.COM -> proxy@test.com from MEMORY:sAA7vI4 with result: 0/Success
[14791] 1538167075.265424: Creating authenticator for testuser@TEST.COM -> proxy@test.com, seqnum 774377519, subkey rc4-hmac/46AC, session key rc4-hmac/AEF0
[14791] 1538167075.265952: Decrypted AP-REQ with server principal proxy@test.com: rc4-hmac/2163
[14791] 1538167075.266046: AP-REQ ticket: testuser@TEST.COM -> proxy@test.com, session key rc4-hmac/AEF0
[14791] 1538167075.266387: Negotiated enctype based on authenticator: rc4-hmac
[14791] 1538167075.266462: Authenticator contains subkey: rc4-hmac/46AC
[14791] 1538167075.266554: Resolving unique ccache of type MEMORY
[14791] 1538167075.266631: Initializing MEMORY:narfKr4 with default princ testuser@TEST.COM
[14791] 1538167075.266831: Removing proxy@test.com -> krbtgt/TEST.COM@TEST.COM from MEMORY:narfKr4
[14791] 1538167075.266921: Storing proxy@test.com -> krbtgt/TEST.COM@TEST.COM in MEMORY:narfKr4
[14791] 1538167075.267043: Removing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: from MEMORY:narfKr4
[14791] 1538167075.267137: Storing proxy@test.com -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.COM\@TEST.COM@X-CACHECONF: in MEMORY:narfKr4
[14791] 1538167075.267223: Storing config in MEMORY:narfKr4 for : proxy_impersonator: proxy@test.com
[14791] 1538167075.267292: Removing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from MEMORY:narfKr4
[14791] 1538167075.267352: Storing testuser@TEST.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:narfKr4
[14791] 1538167075.267419: Removing testuser@TEST.COM -> proxy@test.com from MEMORY:narfKr4
[14791] 1538167075.267478: Storing testuser@TEST.COM -> proxy@test.com in MEMORY:narfKr4
[14791] 1538167075.268760: Retrieving testuser@TEST.COM -> proxy@test.com from MEMORY:narfKr4 with result: 0/Success
[14791] 1538167075.268838: Getting credentials proxy@test.com -> http/testserver.TEST.COM@TEST.COM using ccache MEMORY:narfKr4
[14791] 1538167075.268942: Retrieving proxy@test.com -> krbtgt/TEST.COM@TEST.COM from MEMORY:narfKr4 with result: 0/Success
[14791] 1538167075.269007: Starting with TGT for client realm: proxy@test.com -> krbtgt/TEST.COM@TEST.COM
[14791] 1538167075.269065: Requesting tickets for http/testserver.TEST.COM@TEST.COM, referrals on
[14791] 1538167075.269139: Generated subkey for TGS request: rc4-hmac/68E3
[14791] 1538167075.269221: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14791] 1538167075.269369: Encoding request body and padata into FAST request
[14791] 1538167075.269577: Sending request (4026 bytes) to TEST.COM
[14791] 1538167075.269685: Resolving hostname 172.21.162.211
[14791] 1538167075.269846: Initiating TCP connection to stream 172.21.162.211:88
[14791] 1538167075.270110: Sending TCP request to stream 172.21.162.211:88
[14791] 1538167075.272750: Received answer (1932 bytes) from stream 172.21.162.211:88
[14791] 1538167075.273519: Response was not from master KDC
[14791] 1538167075.273623: Decoding FAST response
[14791] 1538167075.273844: FAST reply key: rc4-hmac/25D0
[14791] 1538167075.273980: TGS reply is for testuser@TEST.COM -> http/testserver.TEST.COM@TEST.COM with session key aes256-cts/81DC
[14791] 1538167075.274086: TGS request result: 0/Success
[14791] 1538167075.274161: Received creds for desired service http/testserver.TEST.COM@TEST.COM
[14791] 1538167075.274236: Removing testuser@TEST.COM -> http/testserver.TEST.COM@TEST.COM from MEMORY:narfKr4
[14791] 1538167075.274310: Storing testuser@TEST.COM -> http/testserver.TEST.COM@TEST.COM in MEMORY:narfKr4
[14791] 1538167075.274464: Creating authenticator for testuser@TEST.COM -> http/testserver.TEST.COM@TEST.COM, seqnum 1049723237, subkey aes256-cts/323A, session key aes256-cts/81DC
[14791] 1538167075.275185: Destroying ccache MEMORY:narfKr4
[14791] 1538167075.275320: Destroying ccache MEMORY:sAA7vI4
[14791] 1538167075.275477: Destroying ccache MEMORY:2zEVGbO
[14791] 1538167075.275631: Destroying ccache MEMORY:mhj20wl
[14791] 1538167075.275851: Destroying ccache MEMORY:KH07w0C
On Monday 5 November 2018, 15:56:23 GMT, Derek Atkins <derek@ihtfp.com> wrote:
moore moore <moore_chestnut@yahoo.ie> writes:
> This is really helpful and makes alot of sense. Thank you for the detailed
> info.
>
> So in relation to:
> "4) If the service requests updated authentication (401) the proxy can
> refresh by re-running the Application authentication protocol using the
> cached service ticket. This can continue until the service ticket
> expires."
>
> By "Application authentication protocol", do you mean TGS_REQ/RSP to the KDC?
No, I mean the AP_REQ/AP_REP between the Kerberos Client and the
Kerberized Server.
> On the proxy, there is an application process ( using the kerberos lib) and
> the TGT is cached in kerberos credential cache. All this is fine.
> The service ticket is cached in an application level process.
Right, that would be caching the TGS_REQ/TGS_REP from the KDC. This
caching should be valid for ~24 hours, depending on how long the service
ticket is valid for.
> But I get very little use out of the cached service ticket, due to the demand
> and frequency of the 401s.
> When the 401 happens, ( in relation to your point 4), a series of TGS_REQ/RSP
> result on the wire between proxy and KDC. If I just use the cached ticket
> here, then it is just a crazy loop of 401s. That's why application process
> goes to KDC for new service ticket, which the kerberized service will accept,
> but then will quickly issue 401s again, thus resulting in having to go back to
> KDC again for new service ticket.
Have you verified that the service ticket is still valid?
Is there a time skew between the proxy (kerberos client) and the service?
> Is this the correct and only way for the proxy to "refresh" the service
> ticket?
No, you should be able to re-use the Service Ticket and just issue a new
AP_REQ/AP_REP between the proxy and the service. Unless the problem is
that the proxy is caching *THIS* -- in which case yes, you're kind of
screwed. Note that the AP_REQ/AP_REP is between the client and service,
and NOT with the KDC, so there is no reason that the client would need
to cache this.
> Thank you.
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
