Re: Shall I capture Kerberos-password failure error message ALONE? - Kerberos

This is a discussion on Re: Shall I capture Kerberos-password failure error message ALONE? - Kerberos ; And one more thing: I am using Windows 2003 exchange server as my KDC server. Please let me know your thoughts. Thank you, -Surendra ----- Original Message ----- From: Surendra Babu A To: kerberos@mit.edu Sent: Thursday, February 02, 2006 12:58 ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: Shall I capture Kerberos-password failure error message ALONE?

  1. Re: Shall I capture Kerberos-password failure error message ALONE?

    And one more thing: I am using Windows 2003 exchange server as my KDC server.

    Please let me know your thoughts.

    Thank you,
    -Surendra
    ----- Original Message -----
    From: Surendra Babu A
    To: kerberos@mit.edu
    Sent: Thursday, February 02, 2006 12:58 PM
    Subject: Shall I capture Kerberos-password failure error message ALONE?


    Hi Kerbros Team,

    If I enter the wrong passowrd at KDc client, the KDC server gives the response of PREAUTH_FAULRE error. Right?

    1. Is there anyway, i can get password failure error message? Is it true that
    "Password verification will be done before sending preauth failure message?"


    2. Can I capture the error message of password failure alone (regardless of preauth failure error?) That means, if I enter the wrong password, the KDC server should reply with error. If I enter correct password, KDC should respond with SUCCESS message (without considering the preauth failure error). Is it possible with krb5 code?

    Please let me know your thoughts. Thank you.
    -Surendra
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Shall I capture Kerberos-password failure error message ALONE?



    Surendra Babu A wrote:

    > And one more thing: I am using Windows 2003 exchange server as my KDC server.


    AD does have alert messages about KDC failures. Note that the password is never
    sent to the KDC. The KDC can only detect a failure if pre-auth is used, and the
    client returns a pre-auth response encrypted in the wrong key generated from
    the wrong password and salt.

    >
    > Please let me know your thoughts.
    >
    > Thank you,
    > -Surendra
    > ----- Original Message -----
    > From: Surendra Babu A
    > To: kerberos@mit.edu
    > Sent: Thursday, February 02, 2006 12:58 PM
    > Subject: Shall I capture Kerberos-password failure error message ALONE?
    >
    >
    > Hi Kerbros Team,
    >
    > If I enter the wrong passowrd at KDc client, the KDC server gives the response of PREAUTH_FAULRE error. Right?
    >
    > 1. Is there anyway, i can get password failure error message? Is it true that
    > "Password verification will be done before sending preauth failure message?"
    >
    >
    > 2. Can I capture the error message of password failure alone (regardless of preauth failure error?) That means, if I enter the wrong password, the KDC server should reply with error. If I enter correct password, KDC should respond with SUCCESS message (without considering the preauth failure error). Is it possible with krb5 code?
    >
    > Please let me know your thoughts. Thank you.
    > -Surendra
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Shall I capture Kerberos-password failure error message ALONE?

    Hi Team,

    Thanks a lot for your reply. Still I am bit hazy on this point. Could you
    please clarify the following?

    Do you mean to say,

    If we fill the preauth information with AS-REQ packet and send to KDC.
    -Then in that case, if client enters the password wrongly, then KDc returns
    the preauth failure error. (since time mismatch exists between KDC server
    and client)

    If we don't send the preauth information with AS-REQ packet:
    - Then the wrong pasword at client side results in password failure error.
    Since the preauth is disabled. (Though time mismatch exists more than 5
    minutes)

    Conclusion:
    1. Assume that, time difference between KDC and client is more than 5
    minutes. (Let us say 24 hours).
    2. If we don't send the preauth information with AS-REQ packet, and wrong
    password at client results in passwrod failure error (Even though time
    mismatch exists).
    3. Because we did not send the preauth information from AS-REQ pkt, we will
    receive password failure but not preauth failure error.

    Is it right? Please let me know your thoughts.

    Thank you,
    -Surendra

    ----- Original Message -----
    From: "Douglas E. Engert"
    To: "Surendra Babu A"
    Cc:
    Sent: Friday, February 03, 2006 9:12 PM
    Subject: Re: Shall I capture Kerberos-password failure error message ALONE?


    >
    >
    > Surendra Babu A wrote:
    >
    > > And one more thing: I am using Windows 2003 exchange server as my KDC

    server.
    >
    > AD does have alert messages about KDC failures. Note that the password is

    never
    > sent to the KDC. The KDC can only detect a failure if pre-auth is used,

    and the
    > client returns a pre-auth response encrypted in the wrong key generated

    from
    > the wrong password and salt.
    >
    > >
    > > Please let me know your thoughts.
    > >
    > > Thank you,
    > > -Surendra
    > > ----- Original Message -----
    > > From: Surendra Babu A
    > > To: kerberos@mit.edu
    > > Sent: Thursday, February 02, 2006 12:58 PM
    > > Subject: Shall I capture Kerberos-password failure error message

    ALONE?
    > >
    > >
    > > Hi Kerbros Team,
    > >
    > > If I enter the wrong passowrd at KDc client, the KDC server gives the

    response of PREAUTH_FAULRE error. Right?
    > >
    > > 1. Is there anyway, i can get password failure error message? Is it

    true that
    > > "Password verification will be done before sending preauth failure

    message?"
    > >
    > >
    > > 2. Can I capture the error message of password failure alone

    (regardless of preauth failure error?) That means, if I enter the wrong
    password, the KDC server should reply with error. If I enter correct
    password, KDC should respond with SUCCESS message (without considering the
    preauth failure error). Is it possible with krb5 code?
    > >
    > > Please let me know your thoughts. Thank you.
    > > -Surendra
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >
    > >

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444
    >
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.??

    Dear Kerbros Team,

    I need some information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.

    My question is:
    ============
    1. With our implementation of Kerberos (we are using MIT), we are not seeing this error when we use UDP connection in Windows environment. (KDC server is at : Windows 2000 server , service pack4).

    But some other kerberos implementation (used same MIT code) is giving the error of KRB_ERR_RESPONSE_TOO_BIG with the same Windows KDC Server.

    Could you please let me know why we are seeing this difference? Any specific reason for this in my implementation?

    Thanks a lot in advance,
    -Surendra

    ----- Original Message -----
    From: Douglas E. Engert
    To: Surendra Babu A
    Cc: kerberos@mit.edu
    Sent: Friday, February 03, 2006 9:12 PM
    Subject: Re: Shall I capture Kerberos-password failure error message ALONE?




    Surendra Babu A wrote:

    > And one more thing: I am using Windows 2003 exchange server as my KDC server.


    AD does have alert messages about KDC failures. Note that the password is never
    sent to the KDC. The KDC can only detect a failure if pre-auth is used, and the
    client returns a pre-auth response encrypted in the wrong key generated from
    the wrong password and salt.

    >
    > Please let me know your thoughts.
    >
    > Thank you,
    > -Surendra
    > ----- Original Message -----
    > From: Surendra Babu A
    > To: kerberos@mit.edu
    > Sent: Thursday, February 02, 2006 12:58 PM
    > Subject: Shall I capture Kerberos-password failure error message ALONE?
    >
    >
    > Hi Kerbros Team,
    >
    > If I enter the wrong passowrd at KDc client, the KDC server gives the response of PREAUTH_FAULRE error. Right?
    >
    > 1. Is there anyway, i can get password failure error message? Is it true that
    > "Password verification will be done before sending preauth failure message?"
    >
    >
    > 2. Can I capture the error message of password failure alone (regardless of preauth failure error?) That means, if I enter the wrong password, the KDC server should reply with error. If I enter correct password, KDC should respond with SUCCESS message (without considering the preauth failure error). Is it possible with krb5 code?
    >
    > Please let me know your thoughts. Thank you.
    > -Surendra
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.??

    KRB_ERR_RESPONSE_TOO_BIG is sent by the Windows KDC when the number of
    groups to which the requested principal belongs results in a PAC,
    Microsoft's authorization data structure, that when added to the
    Kerberos ticket results in the the ticket being larger than the current
    IP MTU size. The error is an indication to the Kerberos client that
    the client should switch to TCP instead of UDP.

    Jeffrey Altman


    Surendra Babu A wrote:
    > Dear Kerbros Team,
    >
    > I need some information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.
    >
    > My question is:
    > ============
    > 1. With our implementation of Kerberos (we are using MIT), we are not seeing this error when we use UDP connection in Windows environment. (KDC server is at : Windows 2000 server , service pack4).
    >
    > But some other kerberos implementation (used same MIT code) is giving the error of KRB_ERR_RESPONSE_TOO_BIG with the same Windows KDC Server.
    >
    > Could you please let me know why we are seeing this difference? Any specific reason for this in my implementation?
    >
    > Thanks a lot in advance,
    > -Surendra
    >
    > ----- Original Message -----
    > From: Douglas E. Engert
    > To: Surendra Babu A
    > Cc: kerberos@mit.edu
    > Sent: Friday, February 03, 2006 9:12 PM
    > Subject: Re: Shall I capture Kerberos-password failure error message ALONE?
    >
    >
    >
    >
    > Surendra Babu A wrote:
    >
    > > And one more thing: I am using Windows 2003 exchange server as my KDC server.

    >
    > AD does have alert messages about KDC failures. Note that the password is never
    > sent to the KDC. The KDC can only detect a failure if pre-auth is used, and the
    > client returns a pre-auth response encrypted in the wrong key generated from
    > the wrong password and salt.
    >
    > >
    > > Please let me know your thoughts.
    > >
    > > Thank you,
    > > -Surendra
    > > ----- Original Message -----
    > > From: Surendra Babu A
    > > To: kerberos@mit.edu
    > > Sent: Thursday, February 02, 2006 12:58 PM
    > > Subject: Shall I capture Kerberos-password failure error message ALONE?
    > >
    > >
    > > Hi Kerbros Team,
    > >
    > > If I enter the wrong passowrd at KDc client, the KDC server gives the response of PREAUTH_FAULRE error. Right?
    > >
    > > 1. Is there anyway, i can get password failure error message? Is it true that
    > > "Password verification will be done before sending preauth failure message?"
    > >
    > >
    > > 2. Can I capture the error message of password failure alone (regardless of preauth failure error?) That means, if I enter the wrong password, the KDC server should reply with error. If I enter correct password, KDC should respond with SUCCESS message (without considering the preauth failure error). Is it possible with krb5 code?
    > >
    > > Please let me know your thoughts. Thank you.
    > > -Surendra
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >
    > >

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


+ Reply to Thread