summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/doc/win2k.texi
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/doc/win2k.texi')
-rw-r--r--crypto/heimdal/doc/win2k.texi57
1 files changed, 57 insertions, 0 deletions
diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi
new file mode 100644
index 0000000..f5ec057
--- /dev/null
+++ b/crypto/heimdal/doc/win2k.texi
@@ -0,0 +1,57 @@
+@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
+@comment node-name, next, previous, up
+@chapter Windows 2000 compatability
+
+Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
+Kerberos 5. Their implementation, however, has some quirks,
+peculiarities, and bugs. This chapter is a short summary of the things
+that we have found out while trying to test Heimdal against Windows
+2000. Another big problem with the Kerberos implementation in Windows
+2000 is the almost complete lack of documentation.
+
+This information should apply to Heimdal @value{VERSION} and Windows
+2000 RC1. It's of course subject all the time and mostly consists of
+our not so inspired guesses. Hopefully it's still somewhat useful.
+
+@menu
+* Encryption types::
+* Authorization data::
+@end menu
+
+@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
+@comment node-name, next, previous, up
+@section Encryption types
+
+Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
+des-cbc-md5) and its own proprietary encryption that is based on md4 and
+rc4 and which you cannot get hold of how it works with a NDA. To enable
+a given principal to use DES, it needs to have DES keys in the database.
+To do this, you need to enable DES keys for the particular principal
+with the user administration tool and then change the password.
+
+@node Authorization data, , Encryption types, Windows 2000 compatability
+@comment node-name, next, previous, up
+@section Authorization data
+
+The Windows 2000 KDC also adds extra authorization data in tickets.
+It is at this point unclear what triggers it to do this. The format of
+this data is unknown and according to Microsoft, subject to change. A
+simple way of getting hold of the data to be able to understand it
+better is described here.
+
+@enumerate
+@item Find the client example on using the SSPI in the SDK documentation.
+@item Change ``AuthSamp'' in the source code to lowercase.
+@item Build the program.
+@item Add the ``authsamp'' principal with a known password to the
+database. Make sure it has a DES key.
+@item Run @kbd{ktutil add} to add the key for that principal to a
+keytab.
+@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
+--dump-auth=file} where file is an appropriate file.
+@item It should authenticate and dump for you the authorization data in
+the file.
+@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
+analyzing the data.
+@end enumerate
+
OpenPOWER on IntegriCloud