Re: Kerberos' role in a 'std. setup' without bells & whistles

From: Roger Abell (
Date: 07/01/05

  • Next message: Thomas McLeod: "recovery agent cannot decrypt EFS file"
    Date: Thu, 30 Jun 2005 20:46:07 -0700

    As Steve suggests, before trying to fix Kerberos itself, check whether
    you need to fix its key dependencies of DNS and timesync (which can
    be off due to DNS).

    Kerb in a tiny nutshell is that at authentication a TGT, ticket granting
    ticket, is received. This TGT is the passport for getting service tickets
    for accessing services (resources). The TGT is obtained in a fancy
    dance of three parties, and afterwards act like a token of the holder's
    identity, such that when presented to the KDC it is key to getting
    tickets and hence access to services.

    The steps in the "fancy dance" underlying this must be completed
    withina set time from when they start, so it is critical that all parties
    to the dance believe it is the same time. The PDC emulator of each
    domain is responsible for this time sync service for its domain, and
    the PDC emulator of the forest root domain is responsible for telling
    all the other PDC emulators what time it really is.

    So, if for example, your domain does not have a PDC FSMO at the
    moment. eventual chaos follows. Or, if the DNS records are not
    up-to-date and correctly pointing to the PDC FSMO, machines do
    not find it in order to get in sync (which, if they are out of sync
    means they will likely stay out of sync since they will not be allowed
    to use the other lookup methods with LDAP inquey to AD to find
    their PDC FSMO. Again, choas follows.

    So, start by ruling out issues with the dependencies of Kerberos.
    Run netdiag and dcdiag on each of your domain controller for a
    first step to see if these utilities like things.

    Roger Abell
    Microsoft MVP (Windows  Security)
    "Kim Noer" <> wrote in message
    > Hi there...
    > I haven't quite figured out just yet, what my DC uses Kerberos for, so can
    > anyone here clue me in, what it is used for[1]? I've figured out it's
    > issueing tickets in some security context, and that my DC current acts as
    > Kerberos Key Distribution Center- and it somehow relates to LDAP/AD. But a
    > look in my event log shows that it runs in a rather fault way -
    > Event ID 594 :
    > A Kerberos Error Message was received:
    >          on logon session InitializeSecurityContext
    >  Client Time:
    >  Server Time:
    >  Error Code: 4:30:5.0000 6/30/2005 (null) 0x20
    >  Extended Error: KRB_AP_ERR_TKT_EXPIRED
    >  Client Realm:
    >  Client Name:
    >  Server Realm: domain.tld
    >  Server Name: krbtgt/domain.tld
    >  Target Name: krbtgt/domain.tld@domain.tld
    >  Error Text:
    >  File:
    >  Line:
    >  Error Data is in record data.
    > And since I apparently don't know what the server is using Kerberos for it
    > makes it difficult to nick this error. Futhermore, a search on this error,
    > indicates to me that it's quite an extensive task to fix it - eek!
    > A "klist tickets" shows some tickets that have expired, but not reviewed -
    > Server: myDC@domain.tld
    >    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT
    >    End Time: 6/17/2005 7:16:25
    >    Renew Time: 6/23/2005 21:16:25
    > - presumeably, this failure to renew the ticket, is what generets the
    > in the event log?
    > [1] I primarily need some quick advice that enables to either investigate
    > further (read up on Kerberos etc.) if you think I need Kerberos, or some
    > advice on how to disable Kerberos, if you think I don't need Kerberos.
    > -- 
    > I doubt, therefore I might be.

  • Next message: Thomas McLeod: "recovery agent cannot decrypt EFS file"

    Relevant Pages

    • MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 protocol
      ... A cryptographic weakness in version 4 of the Kerberos protocol allows ... an attacker to use a chosen-plaintext attack to impersonate any ... containing tickets for the target client principal. ... service key, then the attacker can fabricate a ticket. ...
    • Re: Regular intermittent Kerberos failures
      ... account, is up for renewal and can't. ... If you have a time error on your file server too, ... Kerberos was "The time at the Primary Domain Controller is different ... I've tried looking at tickets on the web server and db ...
    • Re: Use ssh key to acquire TGT?
      ... process that takes a single password and gets multiple tickets from it. ... even if some of the servers don't use kerberos. ... keytab file to obtain AFS tickets automatically at sucessful login. ...
    • Re: kerberos & cron - specifically nfsv4 w/sec=krb5p
      ... the security model of NFSv4. ... If I can map ... a password in a file to use to get kerberos tickets when you need them. ... Idmapd is the program that looks inside the kerberos bits, ...
    • Re: iis problems with some xp clients - kerberos issue?
      ... they unfortunately end up with LARGE Kerberos ... which is where the Kerberos tickets are passed - and I don't know what your ... server is configured to. ... Both access SQL ...