Re: kerberos!

• Previous message: Andrew Aronoff: "Re: SP2 Install Error - Access is denied."
• In reply to: Besirevic, Nesha: "kerberos!"
• Next in thread: Russ: "Re: kerberos!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 8 Sep 2004 14:50:47 +0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Besirevic, Nesha a écrit :

>Hi,
>
> Another joke from MS....
>
> Scenario:
>
> Two ADs (SBS 2003 - win2003 native mode and 2003 AD - win2000 native mode,
>no trust btw, they are simply using sam IP addresses range)
>
> Administrator account has same password on both ADs.
>
> Without any additional authentication you can easily map Admin Share (C$
>for example) from one AD DC to another being logged on as Administrator.
>
> I thought we passed this kind of traps with KERBEROS!!!!
>
> Can anybody confirm this!!!!
>
> Thanks in advance
>
>
>
>Nesha Besirevic
>Technical Consultant\iScalaCRM
> <http://www.epicor.com/> www.epicor.com
>Tel.: +361 452-7689
>Cell: +3630 996-3238
>Fax: +361 452-7501
>E-Mail: nbesirevic@epicor.com <mailto:nbesirevic@epicor.com>
><file:///C:/Documents%20and%20Settings/Nesha.Besirevic/Local%20Settings/Temp
>/(EmptyReference!)>
>
>
>
>
>
>This e-mail is for the use of the intended recipient(s) only. If you have
>received this e-mail in error, please notify the sender immediately and then
>delete it. If you are not the intended recipient, you must not use, disclose
>or distribute this e-mail without the author's prior permission. We have
>taken precautions to minimize the risk of transmitting software viruses, but
>we advise you to carry out your own virus checks on any attachment to this
>message. We cannot accept liability for any loss or damage caused by
>software viruses.
>
>-----
>NTBugtraq Editor's Note:
>
>Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
>-----
>
>
>
>
This is by design. By default, Kerberos authentication is used only between machines in the same AD or Domain and only if you connect to the server by its name, not its IP address. If you try to connect to a share outside of your AD or if you try to connect a share by using the server's IP address (even in the same domain) NTLM authentication is used. I signaled that to Microsoft about 2 years ago and their only answer is: "this is by design".

 In fact this is related to SPNs (service principal name): if you would use Kerberos authentication you should manually register SPNs for the services you want to connect to (setspn utility).

The IP address issue is "documented" in KB 322979 and the issue you
report is obvious if you consider that SPNs are registered in the
Kerberos DB. The SPN of a service residing in the Kerberos DB of another
AD cannot be found since you have no trust between the two AD. If the
SPN of a service cannot be found, Kerberos will reports an error and
the authentication protocol falls back to NTLM. This can be easily
observed by monitoring the connection attempt with MS Network Monitor,
for example.

Hope it helps,

Bertrand LEGERET

OPEN SYSTEM
Expertise in IT Security

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: Andrew Aronoff: "Re: SP2 Install Error - Access is denied."
• In reply to: Besirevic, Nesha: "kerberos!"
• Next in thread: Russ: "Re: kerberos!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Performance issues With Impersonation and Delegation ... Start with the SPNs though. ... service account in AD with an LDAP query and return its servicePrincipalName ... I enabled Kerberos logging on the web service server and now for every web ... (microsoft.public.dotnet.framework.aspnet.security) Re: ADAM Bind to alias pointing local server fails ... you do not want duplicate SPNs that will break the Kerberos auth. ... ADAM replica that I will failover to if necessary. ... instance from another server. ... (microsoft.public.windows.server.active_directory) Re: NegotiateStream delegation issue (or a bug?) ... To access another service on a different machine using Kerberos, ... The SPNs associated with file shares are either cifs/xxxxx or HOST/xxxxx. ... I use NegotiateStream to test Kerberos and delegation in my windows ... private static WindowsIdentity LogonUserTCPListen(string userName, ... (microsoft.public.dotnet.security) Re: Need Help Understanding Kerberos SPN Problem ... And so I figure you're probably spending a while troubleshooting this. ... manually, using Setspn. ... with Kerberos in our domain. ... understand SPNs any better after reading those than I did before. ... (microsoft.public.windows.server.active_directory) Re: Duplicate SPN ... You need to delete these SPNs ... Did you set the service to run using the administrator account? ... a couple of people with this same problem when they have installed CRM. ... Microsoft MVP - Windows Server - Directory Services ... (microsoft.public.windows.server.active_directory)