2000-01-09 20:58:00 +00:00
|
|
|
@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
|
|
|
|
@comment node-name, next, previous, up
|
|
|
|
@chapter Windows 2000 compatability
|
|
|
|
|
|
|
|
Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
|
|
|
|
Kerberos 5. Their implementation, however, has some quirks,
|
|
|
|
peculiarities, and bugs. This chapter is a short summary of the things
|
|
|
|
that we have found out while trying to test Heimdal against Windows
|
|
|
|
2000. Another big problem with the Kerberos implementation in Windows
|
|
|
|
2000 is the almost complete lack of documentation.
|
|
|
|
|
|
|
|
This information should apply to Heimdal @value{VERSION} and Windows
|
|
|
|
2000 RC1. It's of course subject all the time and mostly consists of
|
|
|
|
our not so inspired guesses. Hopefully it's still somewhat useful.
|
|
|
|
|
|
|
|
@menu
|
|
|
|
* Encryption types::
|
|
|
|
* Authorization data::
|
|
|
|
@end menu
|
|
|
|
|
|
|
|
@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
|
|
|
|
@comment node-name, next, previous, up
|
|
|
|
@section Encryption types
|
|
|
|
|
|
|
|
Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
|
|
|
|
des-cbc-md5) and its own proprietary encryption that is based on md4 and
|
2000-02-24 11:07:16 +00:00
|
|
|
rc4 and which is supposed to be described in
|
|
|
|
draft-brezak-win2k-krb-rc4-hmac-01.txt. To enable a given principal to
|
|
|
|
use DES, it needs to have DES keys in the database. To do this, you
|
|
|
|
need to enable DES keys for the particular principal with the user
|
|
|
|
administration tool and then change the password.
|
2000-01-09 20:58:00 +00:00
|
|
|
|
|
|
|
@node Authorization data, , Encryption types, Windows 2000 compatability
|
|
|
|
@comment node-name, next, previous, up
|
|
|
|
@section Authorization data
|
|
|
|
|
|
|
|
The Windows 2000 KDC also adds extra authorization data in tickets.
|
|
|
|
It is at this point unclear what triggers it to do this. The format of
|
|
|
|
this data is unknown and according to Microsoft, subject to change. A
|
|
|
|
simple way of getting hold of the data to be able to understand it
|
|
|
|
better is described here.
|
|
|
|
|
|
|
|
@enumerate
|
|
|
|
@item Find the client example on using the SSPI in the SDK documentation.
|
|
|
|
@item Change ``AuthSamp'' in the source code to lowercase.
|
|
|
|
@item Build the program.
|
|
|
|
@item Add the ``authsamp'' principal with a known password to the
|
|
|
|
database. Make sure it has a DES key.
|
|
|
|
@item Run @kbd{ktutil add} to add the key for that principal to a
|
|
|
|
keytab.
|
|
|
|
@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
|
|
|
|
--dump-auth=file} where file is an appropriate file.
|
|
|
|
@item It should authenticate and dump for you the authorization data in
|
|
|
|
the file.
|
|
|
|
@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
|
|
|
|
analyzing the data.
|
|
|
|
@end enumerate
|
|
|
|
|