Java ignores/errors canonicalized principals (NT-PRINCIPAL) from Active Directory
Osipov, Michael (LDA IT PLM)
michael.osipov at siemens.com
Fri Oct 22 07:48:06 UTC 2021
Am 2021-10-21 um 21:38 schrieb Wei-Jun Wang:
>
> KrbKdcReq throws the exception on line 55, so it is the previous check
>
> if (isAsReq && !req.reqBody.cname.equals(rep.cname) &&
> ((!req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) &&
> req.reqBody.cname.getNameType() !=
> PrincipalName.KRB_NT_ENTERPRISE) ||
> !rep.encKDCRepPart.flags.get(Krb5.TKT_OPTS_ENC_PA_REP))) {
> rep.encKDCRepPart.key.destroy();
>>>> throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
> }
>
> So maybe it's the cname was changed, but I'm not sure about the flags.
>
> Can you send me some packets? Hopefully with a key tab or password so I can look into rep.encKDCRepPart.
I misread the block, of course it is this one. the crealm is changing an
I am not providing an enterprise principal.
Sent you the pcap file. If this isn't enough, will prepare with a keytab.
Michael
More information about the security-dev
mailing list