diff options
author | markm <markm@FreeBSD.org> | 2000-01-09 20:58:00 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 2000-01-09 20:58:00 +0000 |
commit | 4ecbd6db44d79348bc815f31096e53104f50838b (patch) | |
tree | 36fa73706fa0587a390c45a3fbf17c9523cb0e35 /crypto/heimdal/doc/win2k.texi | |
download | FreeBSD-src-4ecbd6db44d79348bc815f31096e53104f50838b.zip FreeBSD-src-4ecbd6db44d79348bc815f31096e53104f50838b.tar.gz |
Import KTH Heimdal, which will be the core of our Kerberos5.
Userland to follow.
Diffstat (limited to 'crypto/heimdal/doc/win2k.texi')
-rw-r--r-- | crypto/heimdal/doc/win2k.texi | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi new file mode 100644 index 0000000..f5ec057 --- /dev/null +++ b/crypto/heimdal/doc/win2k.texi @@ -0,0 +1,57 @@ +@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top +@comment node-name, next, previous, up +@chapter Windows 2000 compatability + +Windows 2000 (formerly known as Windows NT 5) from Microsoft implements +Kerberos 5. Their implementation, however, has some quirks, +peculiarities, and bugs. This chapter is a short summary of the things +that we have found out while trying to test Heimdal against Windows +2000. Another big problem with the Kerberos implementation in Windows +2000 is the almost complete lack of documentation. + +This information should apply to Heimdal @value{VERSION} and Windows +2000 RC1. It's of course subject all the time and mostly consists of +our not so inspired guesses. Hopefully it's still somewhat useful. + +@menu +* Encryption types:: +* Authorization data:: +@end menu + +@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability +@comment node-name, next, previous, up +@section Encryption types + +Windows 2000 supports both the standard DES encryptions (des-cbc-crc and +des-cbc-md5) and its own proprietary encryption that is based on md4 and +rc4 and which you cannot get hold of how it works with a NDA. To enable +a given principal to use DES, it needs to have DES keys in the database. +To do this, you need to enable DES keys for the particular principal +with the user administration tool and then change the password. + +@node Authorization data, , Encryption types, Windows 2000 compatability +@comment node-name, next, previous, up +@section Authorization data + +The Windows 2000 KDC also adds extra authorization data in tickets. +It is at this point unclear what triggers it to do this. The format of +this data is unknown and according to Microsoft, subject to change. A +simple way of getting hold of the data to be able to understand it +better is described here. + +@enumerate +@item Find the client example on using the SSPI in the SDK documentation. +@item Change ``AuthSamp'' in the source code to lowercase. +@item Build the program. +@item Add the ``authsamp'' principal with a known password to the +database. Make sure it has a DES key. +@item Run @kbd{ktutil add} to add the key for that principal to a +keytab. +@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp +--dump-auth=file} where file is an appropriate file. +@item It should authenticate and dump for you the authorization data in +the file. +@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for +analyzing the data. +@end enumerate + |