KRB_AP_ERR_MODIFIED w/ msDS-SupportedEncryptionTypes AES128 but not w/ AES256

r 2016 domain member. Client prog is running on same server under same session / user (hmmm...). Packet captures look normal. The failed case client gets an AES256 TGT and then an AES128 ticket as expected. [1] There is an AS-{REQ,REP} for the acceptor account which is slightly unexpected (and fai

Re: kinit without dns

On Wed, Jan 24, 2024 at 4:27 PM Sam Hartman wrote: > > >>>>> "Michael" == Michael B Allen writes: > > Michael> Hi Ken, > > Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream > Michael> are 1.21 but the KRB5_TRACE

Re: kinit without dns

r trying to pin AES128 that I'm dancing outside the lines of sanity at this point. Really glad to see KRB5_TRACE was added. Thanks for your support. Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ Kerberos mailing list

kinit without dns

my prod machines to use DNS for test machines is not ideal. Ideas? Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

On Thu, Aug 25, 2016 at 10:09 AM, Simo Sorce <s...@redhat.com> wrote: > On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote: >> But, again, the point is that the client would not be "joined" to a >> domain, it would not be required to have network access to a K

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

ve to run the client application in the context of the principal (meaning they would not have to "login" as a specific user first), the client would not have to do fancy SRV queries to find the right KDC and the client would not submit huge tickets with e

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

On Wed, Aug 24, 2016 at 3:12 PM, Simo Sorce <s...@redhat.com> wrote: > On Wed, 2016-08-24 at 12:35 -0400, Michael B Allen wrote: >> On Wed, Aug 24, 2016 at 2:36 AM, Rick van Rein <r...@openfortress.nl> wrote: >> > Hey Mike, >> > >> >> But

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

On Wed, Aug 24, 2016 at 2:36 AM, Rick van Rein wrote: > Hey Mike, > >> But it would be even better if the client could (or had the option to) >> do authentication with the service directly and thus eliminate the >> numerous dependencies for clients (DNS, KDC access, stale

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

ity as well. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Beginner Kerberos question - problem with spnego authentication with webserver

beros tickets cannot be "stale" (use kerbtray.exe to purge on clients) But in your case it sounds like the client is initiating auth which means it's getting a ticket so it's more likely to be 3, 5, 6 or 7. This all assumes that this "flask" thing knows about SPNEGO (would be

Re: Kerberos Authentication question(s)

be the toe-hold necessary to do something like a proper stand-alone authentication over HTTP. -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu

Re: Kerberos Authentication question(s)

the Client-ID to lookup the authentication state. And if the Client-ID also included an integrity code, that would go a looong way. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list

Re: Kerberos Authentication question(s)

content of the token as it is largely handled by GSSAPI / JGSS. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Java code performing Kerberos password AuthN

be pretty solid. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Java code performing Kerberos password AuthN

to access the ccache. The API is horrible as evidenced by the flaming hula hoops you had to go through to do anything remotely sophisticated. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list

Re: Is Windows server 2008+KDC not interoperable with Java, Solaris and UNIX or MIT kerberos?

compatibility. Maybe your security policy has been tweaked to reject DES in this way. Just hypothesizing. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ -Original Message- From: Michael B Allen [mailto:iop...@gmail.com] Sent: Thursday, July 28, 2011

Re: Is Windows server 2008+KDC not interoperable with Java, Solaris and UNIX or MIT kerberos?

/ default_tgs_enctypes set? What enctype did Java use to encrypt the padata in the AS-REQ? Mike -Original Message- From: Michael B Allen [mailto:iop...@gmail.com] Sent: Thursday, July 28, 2011 3:22 PM To: Sabharanjak, Ravi Cc: kerberos@mit.edu Subject: Re: Is Windows server 2008+KDC

Re: Java GSS client talking to SSPI C++ Server

should be able to get Java's Kerberos implementation to work. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials - SOLVED

On Tue, Mar 23, 2010 at 7:30 AM, John Jasen jja...@realityfailure.org wrote: Michael B Allen wrote: Actually I would not be surprised if that hot fix is never made public. DES is being phased out. If you have any Windows accounts that use DES, you should update them to AES-256, AES-128 or RC4

Re: Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials - SOLVED

on x64 servers. Hi Lars, Actually I would not be surprised if that hot fix is never made public. DES is being phased out. If you have any Windows accounts that use DES, you should update them to AES-256, AES-128 or RC4 in that order of preference. Mike -- Michael B Allen Java Active Directory

Kerberos Direct Service Authentication without Client / KDC Communication?

Hi All, Is there a mode of operation where a Kerberos client can directly authenticate with a service without first communicating with a KDC? Kerberos currently requires that clients are using a suitable DNS server, have access to whatever KDCs DNS is referring it to and have relatively accurate

Re: Enquiry - Kerberos

implementations either because they good (password protocol) or because Active Directory is ubiquitous. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https

Re: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm?

this with Java but given the spotted history of Java's builtin Kerberos implementation I don't expect that to be tackled easily. I kinda wish I just had a really solid ASN.1 compiler and crypto lib for the various languages. Ho-hum. Thanks, Mike -- Michael B Allen Java Active Directory Integration http

MIT kinit with AD userPrincipalName with SMTP domain and not proper realm?

be substituted with a proper realm and which one? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm?

the @domain and sent the AS-REQ to the default authority. Mike On Fri, Nov 20, 2009 at 7:48 PM, Michael B Allen iop...@gmail.com wrote: Hi, Is it possible to acquire credentials using kinit from AD using the userPrincipalName on an AD account if the DNS domain does not match the AD realm

Re: Getting a Windows username from an SID with Kerberos

of an account in Windows. So this is off topic for this list but I'll give you some pointers: 1. Use rpcclient from the Samba package 2. Google for JCIFS, create a jcifs.smb.SID, use resolve() with suitable credentials and then toDisplayString(). Mike -- Michael B Allen Java Active Directory

Re: Multiple Apache websites using Kerberos authentication (through the mod_auth_kerb module)

in one go. Also, professional software that does Kerberos auth usually includes some capability to do all of this for you. If you're using a bare-bones solution like mod_auth_kerb, it's up to you to create a keytab. Good luck, Mike -- Michael B Allen PHP Active Directory Integration http

Re: noob question on where to start with Kerberos

a password at all. On corporate intranets this is a highly desirable feature. You do not want to do anything with PAM or SASL. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos

Re: Kerberos auth against AD, keytabs, and service principal names

. And you can create the service account and set the password entirely from Plexcel. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman

Re: second keytab for similar service (but different SPN/IP) breaks the first

with it. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Aqcuiring a TGT for a host/ principal using Active Directory

. You're setting yourself up for a migration migraine. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: confusion with service principal names in Active Directory

-- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: WS-Security and GSS-API: How do I get the session key?

[])ctx.inquireSecContextByOid(sspiSessionKeyOid); Otherwise you're going to end up just adding more methods in an already overwhelming API. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list

Re: Kerberos - Microsoft Active Directory DNS

On Thu, Jan 29, 2009 at 10:00 AM, Christopher D. Clausen cclau...@acm.org wrote: Michael B Allen iop...@gmail.com wrote: In general, both the MIT and Heimdal clients are not optimized for a Windows environment. We have an AD integration product that uses Heimdal that we made a lot of changes

Re: Kerberos - Microsoft Active Directory DNS

might still consider broken)? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos - Microsoft Active Directory DNS

On Wed, Jan 28, 2009 at 4:57 PM, Morten Sylvest Olsen mortenol...@gmail.com wrote: On Jan 28, 9:27 pm, Michael B Allen iop...@gmail.com wrote: Hi Morten, It's not clear to me what component is doing a reverse lookup. What software is actually getting the name mixed up? Is it an LDAP client

Re: Kerberos protocol transition for linux?

On Wed, Nov 19, 2008 at 11:45 AM, S2 [EMAIL PROTECTED] wrote: Michael B Allen wrote: If you have PHP see the link in my sig about Plexcel. It certainly could do what you describe. The back end services are a mix of Java, .NET, php and rails apps (on windows and on linux servers), so

Re: IE6 Fallback to NTLM

comparison. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: No principal in keytab

On Thu, Oct 30, 2008 at 10:47 AM, yuval [EMAIL PROTECTED] wrote: Hi I try to authenticate web server clients on Linux apache. I have keytab from win2003 and kinit pass OK. Klist show valid principal. [EMAIL PROTECTED] klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal:

Re: [modauthkerb]: KRB5CCNAME only set for subprocesses

OSS stack. Anyway, if you try Plexcel or have any questions about it, please contact IOPLEX Software support directly and I'll help you in whatever way I can. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos

Re: spnego

. For me this seems like a bug in IE7, has anyone found solutions for this? That's not a bug. You will need to add SPNs to the desired account (using setspn) for each virtual hostname. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com

Re: Application to extract Kerberos Cerdential

mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/krbdev Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- Michael B Allen PHP Active Directory SPNEGO SSO

Re: Using GSSAPI to Authenticate to AD

that there is such a credential. Unfortunately GSSAPI does not define how to acquire initial credentials. Like I said - there are a lot of details that are not handled by GSSAPI alone. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos

Re: spnego

for browsers not doing Kerberos (obviously if you are not using Plexcel you will need to ignore any product specific references but getting browsers to do Kerberos is pretty much the same regardless of what you are using on the server side). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO

Re: Creating an MIT style keytab for an existing Windows AD member computer

the keys from a DC and dump them into a keytab but it is only (sometimes) useful for debugging purposes with WireShark. The resulting keytab is not valid for use with any kind of service. -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com

Re: Problem with SPNEGO on Solaris 10 build 4

have to use symbol versioning if you're loading things dynamically. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SSO

On Fri, Jul 18, 2008 at 5:28 AM, Simon Wilkinson [EMAIL PROTECTED] wrote: On 18 Jul 2008, at 06:57, Russ Allbery wrote: Michael B Allen [EMAIL PROTECTED] writes: If you read the whole thread you'd know I'm only talking about the *IntrAnet* scenario. With SPNEGO you do not type

Re: SSO

On Fri, Jul 18, 2008 at 7:13 AM, Michael Ströder [EMAIL PROTECTED] wrote: Michael B Allen wrote: On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote: And that is the scenario where direct SPNEGO / NTLMSSP solutions are going to perform better. If by better you mean pretty

Re: SSO

off the Trusted for delegation flag on the HTTP service account). Mike [1] Kerberos provides other ways to limit how the TGT can be used and to proxy service tickets and such but I don't think browsers have support for such things yet. -- Michael B Allen PHP Active Directory SPNEGO SSO http

Re: SSO

(obsolete), raw NTLMSSP (rare), raw Kerberos 5 (rarer) or SPNEGO (very common - used to negotiate either NTLMSSP or Kerberos 5). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos

Re: SSO

On Thu, Jul 17, 2008 at 5:01 PM, Russ Allbery [EMAIL PROTECTED] wrote: Michael B Allen [EMAIL PROTECTED] writes: and, more important, they do not give you true single-sign-on behavior. They're more like double sign on because you have to login to a central server and they get redirected back

Re: SSO

and the 200 response is less than 20 ms (or ~50 ms if the user is in a few hundred groups). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu

Re: SSO

it as trusted for delegation. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5_context in a threaded process

-- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Password Salting Methods

On 6/2/08, Ken Raeburn [EMAIL PROTECTED] wrote: On May 29, 2008, at 22:22, Michael B Allen wrote: Is there a reference anywhere that outlines the different password salting methods used by different KDCs? There are RFCs 3961, 3962, and 4757, which outline how salt strings

Password Salting Methods

performance and get rid of annoying Windows preauthentication failed event log errors. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman

Re: Help required in using kerberos in our project

client and server programs use entirely GSSAPI to handle authentication. The KDC (MIT, Heimdal, Active Directory, ...) should already be setup and running in the target environment. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com

Re: PAC missing from service tickets why?

On 4/24/08, Douglas E. Engert [EMAIL PROTECTED] wrote: Michael B Allen wrote: Hi All, Sorry for the MS specific question. Regarding the Privilege Attribute Certificate in the authorization-data field, someone using my SPNEGO HTTP server product is getting an error that indicates

Clock skew too great / System vs Hardware clock problem?

. So now what? Could it be that the hardware clock and system clock are not in sync? From experience it doesn't matter if the hardware clock is UTC or not. I'm stumped. Any ideas? Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com

Re: [SOLVED] Clock skew too great / System vs Hardware clock problem?

the following to get AM vs PM: C:\time /T The time on the Windows server was set to 3 AM and not 3 PM. Thanks, Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https

Re: SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

On 3/18/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Mar 18, 12:59 am, Michael B Allen [EMAIL PROTECTED] wrote: If the HTTP server returns WWW-Authenticate: NTLM then the client must use NTLMSSP tokens. If it returns WWW-Authenticate: Negotiate then the tokens must be SPNEGO

Re: SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

a GSSAPI implementation that supports SPNEGO and you're done. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

support delegation so if I remember your original post correctly, implementing NTLM with pass-through authentication would not help your particular scenario. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos

Re: SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

://support.microsoft.com/kb/885887 http://support.microsoft.com/kb/906524/en-us -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion

On 3/17/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Mar 17, 9:12 pm, Michael B Allen [EMAIL PROTECTED] wrote: The problem is that the client will not or cannot initiate Kerberos. Nice try, however no. The client has no problems using Kerberos. There are credentials in the cache

Re: Problem configuring kerberos delegation on a windows 2003 domain

a capture and generally adjust your terminology into failed to get a TGT, the SPN is, service ticket this, credential that, ... Is the HTTP a_service.smnyl.com.mx supposed to be an SPN? Perhaps that should be HTTP/a_service.smnyl.com.mx? Mike -- Michael B Allen PHP Active Directory SPNEGO SSO

Re: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030B: LdapErr:DSID-0C09043E

(LdapCtx.java:290) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL (LdapCtxFactory.java:175) -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https

Re: Kerberos.app AD UPN SAM authentication issue

to 10. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos.app AD UPN SAM authentication issue

(although it does at the krb5 level). Thanks, Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos.app AD UPN SAM authentication issue

-- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos.app AD UPN SAM authentication issue

On 10/4/07, Russ Allbery [EMAIL PROTECTED] wrote: Michael B Allen [EMAIL PROTECTED] writes: Active Directory does not use the userPrincipalName attribute to do Kerberos authentication. It uses [EMAIL PROTECTED] I just tested against our Active Directory with an account that had both

Re: Active Directory LDAP SSH

On 9/4/07, Roman S [EMAIL PROTECTED] wrote: Hey guys! I've configured a Microsoft Active Directory with LDAP and Kerberos, and some Linux (Redhat) clients who authenticate to it. I'm able to get some tickets for the users who are in the Active Directory, but SSH behaves a bit strange. I

Re: Creating SPNEGO tokens

Markus Markus Moeller [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] But the input to gss_init_sec_context is a gss_OID structure. How do I build the structure ? If I use gss_str_to_oid I get an error Invalid argument Thanks Markus Michael B Allen [EMAIL PROTECTED

Re: Creating SPNEGO tokens

On 6/30/07, Markus Moeller [EMAIL PROTECTED] wrote: Which mech OID do I need to use in gss_init_sec_context to get a SPNEGO token ? I looked in the header files of 1.6.1 but it is not defined there. Hi Markus, The OID for SPNEGO is 1.3.6.1.5.5.2. Mike

Re: AW: AW: AW: Some Users get Basic Auth?

had success with it when experiencing unreliable behavior like you're describing. Mike -Ursprüngliche Nachricht- Von: Michael B Allen [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 13. Juni 2007 08:57 An: Djihangiroff, Matthias (KC-DD) Cc: Todd Stecher; kerberos@mit.edu Betreff: Re

Re: Some Users get Basic Auth?

|..(.| This is raw NTLMSSP. Check your browser settings. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman

Re: Kerberos for authentication, php for authorization

account. Then you can use any one of those hostnames and it works equally well. What is it that mod_auth_kerb is doing differently? Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list

Re: Kerberos for authentication, php for authorization

, for example. Ahh, ok. But why is using GSS_C_NO_CREDENTIAL a problem exactly? If the key is good the key is good no? Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https

Firefox Requests TGT Every Time it Authenticates?

Hi, Has anyone noticed that Firefox (1.5.0 on Linux x86 in my case at least) requests a TGT everytime it authenticates? Why doesn't it use the one it has in the ccache? It gets the HTTP service ticket from the ccache file just fine. Mike -- Michael B Allen PHP Active Directory Kerberos SSO

Re: Website- Kerberos: The Network Authentication Protocol

Thomas, Your post is totally inappropriate. Please do not post this stuff here (or anywhere else for that matter). Mike Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

IE 7 pops up Network Password Dialog on FIRST 401 Unauthorized

page or a login page. Now you can't. So if you have a Kerberos site with fallback to a login form this annoying and confusing Network Password dialog pops up and you have to hit cancel five times to get in. Someone please tell me there's a registry setting to fix this. Mike -- Michael B Allen PHP

Re: gssapi auth, and multihomed multinamed hosts

on the KDC associated with the service principal matches the key in the keytab used by sshd then it should work. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https

Re: authentication on windows xp thru kerberos

might post the exact error text here. Mike [1] http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC [2] http://www.h5l.se/manual/heimdal-0-7-branch/info/heimdal.html#Configuring-Windows-2000-to-use-a-Heimdal-KDC -- Michael B Allen PHP Active Directory Kerberos SSO

Correct DNS Behavior

Dear all, My code can't find the KDC on a particular customer's network. The problem is DNS. The DNS communication looks like the following: C: SRV _kerberos._udp.EXAMPLE.COM S: No such name C: SRV _kerberos._tcp.EXAMPLE.COM S: 3 answer records: krb1.EXAMPLE.COM krb2.EXAMPLE.COM

Re: Correct DNS Behavior

} I don't understand how a DNS server can answer an SRV record and not be able to resolve the names it returns. We're either using a bad DNS server or it must expect the client to recur on authority records 3 levels deep. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http

Re: Memory leakage question

but the leaks should never grow beyond a fixed size. Mike PS to kitten: This is another thing that would be more elegant with an application context. -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list

Re: Error while authenticating using mod_auth_kerb module

Hi Vijay and Sriram, Client configuration and the service account all *looks* good. Now reboot the client and try again. If you ever get the Windows Network Password Dialog DO NOT enter anything into it. IE will remember the credentials and try to do NTLM for the remainder of your logon

Re: Error while authenticating using mod_auth_kerb module

: http://www.ioplex.com/d/Plexcel_Operators_Manual.pdf Note: Our product is not related to mod_auth_kerb but the protocol and client configuration is the same. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com

Firefox vs IE Cross Realm Kerberos SSO Authentication

._udp.B.W.NET S: DNS No such name Can anyone explain this behavior and tell me if it is consistent with what is supposed to happen? Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list

Re: Cross Realm MIT - Windows Close But No Cigar

debug1: attempt 3 failures 3 debug2: input_userauth_request: try method gssapi-with-mic Failed gssapi-with-mic for ioplex from :::192.168.2.16 port 48735 ssh2 debug1: userauth-request for user ioplex service ssh-connection method publickey debug1: attempt 4 failures 4 Michael B Allen [EMAIL

Re: Cross Realm MIT - Windows Close But No Cigar

.k5login. Now I wonder what smbclient's problem is with the bad echo'd signatures. Wheres Andrew Bartlett when you need him ... Mmm, UIUC. I have droves of family in Champaign. Thanks, Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com

Re: Mod_auth_kerb and Windows XP SP2

Good job Sriram. I'm cc-ing the mod_auth_kerb list. They were talking about this issue a while back. Mike On Tue, 1 May 2007 19:08:05 -0700 (PDT) SriramG [EMAIL PROTECTED] wrote: Just wanted to update back, if anyone ends up with this issue. We contacted MS they provided a hotfix as

Cross Realm MIT - Windows Close But No Cigar

] The signature in the SMB response packet is identical to the one in the request packet (i.e. it was echo'd). Any ideas? Do I need to do anything special with DNS? Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com

Re: Cannot find key of appropriate type to decrypt AP REP

thought I'd make sure. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Mod_auth_kerb and Windows XP SP2 issues

there's something wrong with your network or it's a bug in IE. Either way, I'd want to fix it rather than add some feature that just masks the problem. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing

Re: Mod_auth_kerb and Windows XP SP2

like a simple domain controller availability issue. Perhaps mod_auth_kerb or libkrb5 could benifit from some retry capability. Mike -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Monday, April 16, 2007 4:56 PM To: Gopalan, Sriram Cc: kerberos@mit.edu

Re: Mod_auth_kerb and Windows XP SP2

-- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: generating keys from a web app(php)

, when you feel most or all of the passwords are set in both stores, migrate your applications to the new Kerberos infrastructure. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list

Re: service principal management with Active Directory KDC

for the paying customers. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Generating Keyabs for Windows Accounts on Linux

interested, it's called Plexcel and is available for download here (no registration required): http://www.ioplex.com/plexcel.html Again, it's free for 25 user's so a little PHP script used by a few admins isn't going to trip up the limit. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http

  1   2   >