1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
@comment node-name, next, previous, up
@chapter Windows 2000 compatability
Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
Kerberos 5. Their implementation, however, has some quirks,
peculiarities, and bugs. This chapter is a short summary of the things
that we have found out while trying to test Heimdal against Windows
2000. Another big problem with the Kerberos implementation in Windows
2000 is the almost complete lack of documentation.
This information should apply to Heimdal @value{VERSION} and Windows
2000 RC1. It's of course subject all the time and mostly consists of
our not so inspired guesses. Hopefully it's still somewhat useful.
@menu
* Encryption types::
* Authorization data::
@end menu
@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
@comment node-name, next, previous, up
@section Encryption types
Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
des-cbc-md5) and its own proprietary encryption that is based on md4 and
rc4 and which you cannot get hold of how it works with a NDA. To enable
a given principal to use DES, it needs to have DES keys in the database.
To do this, you need to enable DES keys for the particular principal
with the user administration tool and then change the password.
@node Authorization data, , Encryption types, Windows 2000 compatability
@comment node-name, next, previous, up
@section Authorization data
The Windows 2000 KDC also adds extra authorization data in tickets.
It is at this point unclear what triggers it to do this. The format of
this data is unknown and according to Microsoft, subject to change. A
simple way of getting hold of the data to be able to understand it
better is described here.
@enumerate
@item Find the client example on using the SSPI in the SDK documentation.
@item Change ``AuthSamp'' in the source code to lowercase.
@item Build the program.
@item Add the ``authsamp'' principal with a known password to the
database. Make sure it has a DES key.
@item Run @kbd{ktutil add} to add the key for that principal to a
keytab.
@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
--dump-auth=file} where file is an appropriate file.
@item It should authenticate and dump for you the authorization data in
the file.
@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
analyzing the data.
@end enumerate
|
