[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cannot get gssapi delegation w/ archfour-hmac-md5 to work

To: heimdal-discuss@sics.se
Subject: Cannot get gssapi delegation w/ archfour-hmac-md5 to work
From: Michael B Allen <mba2000@ioplex.com>
Date: Tue, 6 Jun 2006 20:22:11 -0400
Sender: owner-heimdal-discuss@sics.se

Hey,

I'm having trouble with delegation. When gss_accept_sec_context trys
to decrypt the fw_data in the AP-REQ it fails due to checksum mismatch
and delegation is disabled. The key used matches the subkey in Ethereal
[1]. I know this isn't the salt issue Markus reported because DES works
fine and it doesn't make any difference if I user a User or Computer
account but could this be another kind of salt issue?

This crypto stuff is hard for me. I'd really appreciate some help even
if they're just guesses.

Thanks,
Mike

The exact failure is in lib/krb5/crypto.c. Checksums and error follow:

crypto.c:2675:ARCFOUR_subdecrypt: 
00000:  c3 fe 43 85 2e 6a f4 54 65 45 38 3c c7 17 a3 32  |..C..j.TeE8<...2|
crypto.c:2677:ARCFOUR_subdecrypt: 
00000:  ba 54 a9 bd 24 e4 8f 1b 53 51 83 4b 31 ce e5 3d  |.T..$...SQ.K1..=|
crypto.c:2681:ARCFOUR_subdecrypt: KRB5KRB_AP_ERR_BAD_INTEGRITY

[1] Incedentally Ethereal doesn't actually decode the fw_data
    correctly. It get's lumped into the gss chksum.

-- 
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/

Follow-Ups:
- Re: [SOLVED] Cannot get gssapi delegation w/ archfour-hmac-md5 towork
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: gss_init_sec_context igores cred if GSS_SPNEGO_MECHANISM
Next by Date: Re: [SOLVED] Cannot get gssapi delegation w/ archfour-hmac-md5 towork
Prev by thread: One week until AFS & Kerberos Best Practices Workshop 2006
Next by thread: Re: [SOLVED] Cannot get gssapi delegation w/ archfour-hmac-md5 towork
Index(es):
- Date
- Thread