Decrypting KRB_AS_REP ticket - Kerberos

This is a discussion on Decrypting KRB_AS_REP ticket - Kerberos ; Hi, I am trying to create a quick prototype for a kerberized service which would look at the authorization data( with SID's) present in the service ticket and accept/reject the service request. To start with, I created an SPN in ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Decrypting KRB_AS_REP ticket

  1. Decrypting KRB_AS_REP ticket

    Hi,



    I am trying to create a quick prototype for a kerberized service which
    would look at the authorization data( with SID's) present in the service
    ticket and accept/reject the service request. To start with, I created
    an SPN in the active directory(windows 2003 Domain controller /KDC) for
    this service using "ktpass" with -princ -mapuser options with -crypto
    being RC4-HMAC-NT. Then I created a service ticket for this service
    using "kinit -S service" option, I did this from a linux client in the
    same domain with a user account. Now I am trying to decrypt the
    KRB_AS_REP packet which contains the service ticket and get the
    authorization data. I used the "krb5_arcfour_decrypt" API for the
    decryption. I see that the decryption fails with
    KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
    the "ktpass" tool after it created the keytab file, to decrypt the
    service ticket.



    I am suspecting that the key used by the KDC for generating this service
    request may be different than the one thrown out by "ktpass".

    Has anyone seen this before ? Does anyone know why this is not working ?



    Any help/suggestions would be greatly appreciated.



    Thanks,

    Madhu



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Decrypting KRB_AS_REP ticket



    Kallapur, Madhusudan V wrote:
    > Hi,
    >
    >
    >
    > I am trying to create a quick prototype for a kerberized service which
    > would look at the authorization data( with SID's) present in the service
    > ticket and accept/reject the service request. To start with, I created
    > an SPN in the active directory(windows 2003 Domain controller /KDC) for
    > this service using "ktpass" with -princ -mapuser options with -crypto
    > being RC4-HMAC-NT. Then I created a service ticket for this service
    > using "kinit -S service" option, I did this from a linux client in the
    > same domain with a user account. Now I am trying to decrypt the
    > KRB_AS_REP packet which contains the service ticket and get the
    > authorization data.


    I would suspect that the KRB_AS_REP enc-part is encrypted in the
    user's key. The enc-part (EncTicketPart) of the Ticket in the KREB_AS_REP
    would be in encrypted in the servers's key.


    I used the "krb5_arcfour_decrypt" API for the
    > decryption. I see that the decryption fails with
    > KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
    > the "ktpass" tool after it created the keytab file, to decrypt the
    > service ticket.
    >
    >

    Sounds like you are too low a level in the Kerberos API, and may be
    missing some thing, like a key derivation.

    You may want to look at krb5_decrypt_tkt_part in decrypt_tk.c
    which is used by b5_rd_req_decrypt_tkt_part to process the KRB_AP_REQ
    which is what the server would normally use.

    >
    > I am suspecting that the key used by the KDC for generating this service
    > request may be different than the one thrown out by "ktpass".
    >
    > Has anyone seen this before ? Does anyone know why this is not working ?
    >
    >
    >
    > Any help/suggestions would be greatly appreciated.
    >
    >
    >
    > Thanks,
    >
    > Madhu
    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread