2k3 (SP1) and PDC Emulator difference - Kerberos

This is a discussion on 2k3 (SP1) and PDC Emulator difference - Kerberos ; Hi, I have Windows 2k and 2k3 (SP1) AD servers in a domain, and if I set the 2k server as the OperationsMaster->PDC (aka. PDC Emulator), then DES_CBC_MD5 key generated using the SPN (and corresponding Salt) fails to authenticate on ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: 2k3 (SP1) and PDC Emulator difference

  1. 2k3 (SP1) and PDC Emulator difference

    Hi,
    I have Windows 2k and 2k3 (SP1) AD servers in a
    domain, and if I set the 2k server as the
    OperationsMaster->PDC (aka. PDC Emulator), then
    DES_CBC_MD5 key generated using the SPN (and
    corresponding Salt) fails to authenticate on 2k3
    server. It automatically forwards the kerberos ticket
    request (AS_REQ) to the PDC Emulator (which is the 2k
    server), which in turn authenticates the SPN using the
    same key. Also, kinit can get a ticket from 2k3 for
    the same account without forwarding to PDC.
    I am at a loss to explain how come the same kerberos
    DES key works on 2k but not on 2k3, even though the
    account is created on 2k3 AD.
    Interestingly, if I make the 2k3 server as PDC master,
    it will authenticate using the same key and not
    forward the request to the 2k server anymore.
    PDC emulators are for legacy windows clients, I dont
    see what role is plays here.
    Any ideas, please let me know.
    TIA,
    Amol




    __________________________________
    Yahoo! Mail - PC Magazine Editors' Choice 2005
    http://mail.yahoo.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: 2k3 (SP1) and PDC Emulator difference

    Can you look at the error message ? I think there was a change in
    calculating the salt for DES keys.

    Regards
    Markus

    "amol dixit" wrote in message
    news:20050928201447.43903.qmail@web52408.mail.yaho o.com...
    > Hi,
    > I have Windows 2k and 2k3 (SP1) AD servers in a
    > domain, and if I set the 2k server as the
    > OperationsMaster->PDC (aka. PDC Emulator), then
    > DES_CBC_MD5 key generated using the SPN (and
    > corresponding Salt) fails to authenticate on 2k3
    > server. It automatically forwards the kerberos ticket
    > request (AS_REQ) to the PDC Emulator (which is the 2k
    > server), which in turn authenticates the SPN using the
    > same key. Also, kinit can get a ticket from 2k3 for
    > the same account without forwarding to PDC.
    > I am at a loss to explain how come the same kerberos
    > DES key works on 2k but not on 2k3, even though the
    > account is created on 2k3 AD.
    > Interestingly, if I make the 2k3 server as PDC master,
    > it will authenticate using the same key and not
    > forward the request to the 2k server anymore.
    > PDC emulators are for legacy windows clients, I dont
    > see what role is plays here.
    > Any ideas, please let me know.
    > TIA,
    > Amol
    >
    >
    >
    >
    > __________________________________
    > Yahoo! Mail - PC Magazine Editors' Choice 2005
    > http://mail.yahoo.com
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: 2k3 (SP1) and PDC Emulator difference

    Markus,
    There is no error per-se, since the 2k3 forwards the
    ticket request (AS_REQ) to the PDC Emulator (2k
    server), which authenticates using the same key. So
    the salt created does work with the PDC.
    To see how windows macnine accoutns are added to a
    domain, I took a trace while adding a machine to the
    domain, turns out, it uses SAMR and not Kerberos, so
    no help.
    Thanks,
    Amol


    --- Markus Moeller wrote:

    > Can you look at the error message ? I think there
    > was a change in
    > calculating the salt for DES keys.
    >
    > Regards
    > Markus
    >
    > "amol dixit" wrote in message
    >

    news:20050928201447.43903.qmail@web52408.mail.yaho o.com...
    > > Hi,
    > > I have Windows 2k and 2k3 (SP1) AD servers in a
    > > domain, and if I set the 2k server as the
    > > OperationsMaster->PDC (aka. PDC Emulator), then
    > > DES_CBC_MD5 key generated using the SPN (and
    > > corresponding Salt) fails to authenticate on 2k3
    > > server. It automatically forwards the kerberos

    > ticket
    > > request (AS_REQ) to the PDC Emulator (which is the

    > 2k
    > > server), which in turn authenticates the SPN using

    > the
    > > same key. Also, kinit can get a ticket from 2k3

    > for
    > > the same account without forwarding to PDC.
    > > I am at a loss to explain how come the same

    > kerberos
    > > DES key works on 2k but not on 2k3, even though

    > the
    > > account is created on 2k3 AD.
    > > Interestingly, if I make the 2k3 server as PDC

    > master,
    > > it will authenticate using the same key and not
    > > forward the request to the 2k server anymore.
    > > PDC emulators are for legacy windows clients, I

    > dont
    > > see what role is plays here.
    > > Any ideas, please let me know.
    > > TIA,
    > > Amol
    > >
    > >
    > >
    > >
    > > __________________________________
    > > Yahoo! Mail - PC Magazine Editors' Choice 2005
    > > http://mail.yahoo.com
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





    __________________________________
    Yahoo! Mail - PC Magazine Editors' Choice 2005
    http://mail.yahoo.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: 2k3 (SP1) and PDC Emulator difference

    Check also the kvno (key version number). 2000 doesn't increment it, whereas
    2003 does, so you can get different kvnos from 2000 and 2003 kdcs. But there
    is a patch form MS which allows to configure 2003 to act like a 2000 kdc wrt
    to kvnos.

    Regards
    Markus

    "amol dixit" wrote in message
    news:20050928201447.43903.qmail@web52408.mail.yaho o.com...
    > Hi,
    > I have Windows 2k and 2k3 (SP1) AD servers in a
    > domain, and if I set the 2k server as the
    > OperationsMaster->PDC (aka. PDC Emulator), then
    > DES_CBC_MD5 key generated using the SPN (and
    > corresponding Salt) fails to authenticate on 2k3
    > server. It automatically forwards the kerberos ticket
    > request (AS_REQ) to the PDC Emulator (which is the 2k
    > server), which in turn authenticates the SPN using the
    > same key. Also, kinit can get a ticket from 2k3 for
    > the same account without forwarding to PDC.
    > I am at a loss to explain how come the same kerberos
    > DES key works on 2k but not on 2k3, even though the
    > account is created on 2k3 AD.
    > Interestingly, if I make the 2k3 server as PDC master,
    > it will authenticate using the same key and not
    > forward the request to the 2k server anymore.
    > PDC emulators are for legacy windows clients, I dont
    > see what role is plays here.
    > Any ideas, please let me know.
    > TIA,
    > Amol
    >
    >
    >
    >
    > __________________________________
    > Yahoo! Mail - PC Magazine Editors' Choice 2005
    > http://mail.yahoo.com
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: 2k3 (SP1) and PDC Emulator difference



    Markus Moeller wrote:
    > Check also the kvno (key version number). 2000 doesn't increment it, whereas
    > 2003 does, so you can get different kvnos from 2000 and 2003 kdcs. But there
    > is a patch form MS which allows to configure 2003 to act like a 2000 kdc wrt
    > to kvnos.


    If you have the MIT KfW or Unix, try the kvno utility to get a service ticket,
    and see what kvno the KDC returnes. Then make sure the keytab file has the key
    with that kvno.


    >
    > Regards
    > Markus
    >
    > "amol dixit" wrote in message
    > news:20050928201447.43903.qmail@web52408.mail.yaho o.com...
    >
    >>Hi,
    >>I have Windows 2k and 2k3 (SP1) AD servers in a
    >>domain, and if I set the 2k server as the
    >>OperationsMaster->PDC (aka. PDC Emulator), then
    >>DES_CBC_MD5 key generated using the SPN (and
    >>corresponding Salt) fails to authenticate on 2k3
    >>server. It automatically forwards the kerberos ticket
    >>request (AS_REQ) to the PDC Emulator (which is the 2k
    >>server), which in turn authenticates the SPN using the
    >>same key. Also, kinit can get a ticket from 2k3 for
    >>the same account without forwarding to PDC.
    >>I am at a loss to explain how come the same kerberos
    >>DES key works on 2k but not on 2k3, even though the
    >>account is created on 2k3 AD.
    >>Interestingly, if I make the 2k3 server as PDC master,
    >>it will authenticate using the same key and not
    >>forward the request to the 2k server anymore.
    >>PDC emulators are for legacy windows clients, I dont
    >>see what role is plays here.
    >>Any ideas, please let me know.
    >>TIA,
    >>Amol
    >>
    >>
    >>
    >>
    >>__________________________________
    >>Yahoo! Mail - PC Magazine Editors' Choice 2005
    >>http://mail.yahoo.com
    >>________________________________________________
    >>Kerberos mailing list Kerberos@mit.edu
    >>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread