-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failing to authenticate when used against MIT Kerberos Server #323
Comments
Are there any logs from MIT about the request? Can you enable verbose/debug logging? The error itself is that the client timed out waiting for the KDC to send it a response. The protocol is a length/value pair, so the way the code works is that it reads the length and queries the socket until it can get that length of bytes, OR until the socket is closed intentionally (FIN/RST), OR until the cancellation has triggered from timeout. It's only hitting the last case, which would be a weird behavior on the MIT side of things to let the socket linger open if the client sent a bad request. Can you capture a wireshark trace of a working/failing attempt? |
Ok, some clues...
|
This is what the log output looks like when I do same thing successfully via
|
The name formatted in the log looks a bit fishy. Can you try setting the
|
CORRECTION: NT_PRINCIPAL
…________________________________
From: Andrew Stakhov ***@***.***>
Sent: Tuesday, October 25, 2022 11:28:23 AM
To: dotnet/Kerberos.NET ***@***.***>
Cc: Steve Syfuhs ***@***.***>; Comment ***@***.***>
Subject: Re: [dotnet/Kerberos.NET] Failing to authenticate when used against MIT Kerberos Server (Issue #323)
This is what the log output looks like when I do same thing successfully via kinit ***@***.***
Oct 25 18:27:00 7ce22535e0f1 krb5kdc[20](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.25.0.1: NEEDED_PREAUTH: ***@***.*** for ***@***.***, Additional pre-authentication required
Oct 25 18:27:00 7ce22535e0f1 krb5kdc[20](info): closing down fd 15
Oct 25 18:27:03 7ce22535e0f1 krb5kdc[20](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.25.0.1: ISSUE: authtime 1666722423, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, ***@***.*** for ***@***.***
Oct 25 18:27:03 7ce22535e0f1 krb5kdc[20](info): closing down fd 15
—
Reply to this email directly, view it on GitHub<#323 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYKGFALFUT23RXW7CELWFAREPANCNFSM6AAAAAAROF3UUE>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Doesn't seem to affect anything - it still formats the requested principal as |
So it looks like it's the same issue as this: #270 I'd guess there's a bug somewhere along the way that's rewriting the name type back to NT_ENTERPRISE. |
Grr, hit submit too early. Can you try setting the PrincipalNameType on the credential itself?
|
Also, interestingly we must have hit this basic issue in the past because we already have a way to handle this automatically. Hmm. Kerberos.NET/Kerberos.NET/Client/KerberosClient.cs Lines 407 to 412 in df33af4
|
Tried it by configuring on credential level - same thing. |
Any other suggestions to try, or this will require a code fix in lib? |
Hello, I have a similar setup and the same issue. I am running the kerberos server in a local docker container and I want to authenticate against it using Kerberos.NET running in the windows host. From a second docker container I am able to authenticate against the server with kinit. Here are the network traces if any one would like to check them: Could this be the root cause for this issue? Or should the server usually be able to handle the Kerberos.NET request properly? |
The CName field is a function of the credential you're using: Kerberos.NET/Kerberos.NET/Entities/Krb/KrbAsReq.cs Lines 135 to 149 in 6828266
And the logic for that is somewhat complicated, but can be forced by setting the name type explicitly: If the issue is that the client only works when you're sending just the short name instead of a UPN, this can be handled by setting the credential username to that. |
Given that MIT Kerberos is defacto library on Linux side (and one .net core is hardcoded relies on to do IWA on linux), perhaps it makes sense to add some kind of "compatibility" enum where all these minor variances between implementations are automatically accounted for. Consumers of this lib usually don't have in-depth knowledge of these minute differences. |
I tried various combinations of username + domain + PrincipalNameType, however, I am unable to force just the short name and the udp name is always sent. So code like this would also have
During debugging I found that Kerberos.NET/Kerberos.NET/Entities/Krb/KrbPrincipalName.cs Lines 339 to 362 in 89ae633
I looked for information about the kerberos protocol and as far as I can understand, the cname is usually just the username and not the full udp. Could this be the cause of the bug we are encountering here? Otherwise, are there any other client and credential options that I may have missed to set the username correctly? |
I tried changing the library source code to send the short name to cname for kRB5-NT-PRINCIPAL, but that did nothing. I checked the sent request via wireshark. Maybe that's not the problem. |
Describe the bug
The library seems to be failing when trying to talk to MIT Kerberos Server. I've setup a test MIT Kerberos Server, create a principal and trying to use Kerberos.NET to try to obtain TGT. This is failing with
I am able to authenticate with
kinit
without issuesTo Reproduce
docker-compose up
commanddocker exec krb-test-server-demo-1 /bin/sh -c "echo password | kadmin -r MACSUX.DC -p admin/admin@MACSUX.DC -q 'addprinc -pw password iwasvc@MACSUX.DC'"
Linqpad snippet: http://share.linqpad.net/stcnk6.linq
Expected behavior
Authentication successful
Screenshots
Additional context
Tested on Windows with server running in docker.
kinit
test was performed from WSL and was successful.The text was updated successfully, but these errors were encountered: