Question about Windows S4U support

Wed, 08 Nov 2023 09:55:52 -0800 

Hi everyone,

We have an application with Windows client + AD domain, for S4USelf, it works 
well.

In our application, it calls LSALogonUser() to impersonate a user which will 
use S4USelf by setting up Windows structure KERB_S4U_LOGON.

Now we wants to switch from Windows AD to MIT KDC. Currently windows can be 
authenticated by MIT KDC without any problem but Windows API LSALogonUser() in 
our application fails.

Problem 1:
When LSALogonUser() is called, it has following error:

Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), 
UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0,  
host/win11client.mylab....@mylab.com<mailto:host/win11client.mylab....@mylab.com>
 for host\/win11client.mylab....@mylab.com, Server not found in Kerberos 
database

In fact,   principle 
"host/win11client.mylab....@mylab.com<mailto:host/win11client.mylab....@mylab.com>"
 exists.  By Wireshark I can see Windows sends 
"host/win11client.mylab....@mylab.com<mailto:host/win11client.mylab....@mylab.com>"
  as sname, KDC converts the sname to host\/win11client.mylab....@mylab.com.
I have a look at the code but find no parameters or setting can change this 
behavior.

Problem 2:
Sometimes, AS-REQ and TGS-REQ are all ok in MIT KDC but on Windows, it reports 
this error in Windows Event Viewer after call LSALogonUser():

The digitally signed Privilege Attribute Certificate (PAC) that contains the 
authorization information for client user in realm MYLAB.COM could not be 
validated.
 This error is usually caused by domain trust failures; Contact your system 
administrator.

I also test "kvno -U user" on the same windows machine, and it works.

>From MIT Kerberos document,  I can see S4U can be supported.   My question is 
>that for S4U, does MIT KDC have  interoperability with Windows API?  Any 
>feedback will be greatly appreciated.

I'm a newbie in Kerberos, thanks for your help!

Regards

================================
Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA 02451 ? 
Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: 
https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - 
http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================

This communication and any attachments may contain confidential information of 
Rocket Software, Inc. All unauthorized use, disclosure or distribution is 
prohibited. If you are not the intended recipient, please notify Rocket 
Software immediately and destroy all copies of this communication. Thank you.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to