[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cannot get gssapi delegation w/ archfour-hmac-md5 to work


I'm having trouble with delegation. When gss_accept_sec_context trys
to decrypt the fw_data in the AP-REQ it fails due to checksum mismatch
and delegation is disabled. The key used matches the subkey in Ethereal
[1]. I know this isn't the salt issue Markus reported because DES works
fine and it doesn't make any difference if I user a User or Computer
account but could this be another kind of salt issue?

This crypto stuff is hard for me. I'd really appreciate some help even
if they're just guesses.


The exact failure is in lib/krb5/crypto.c. Checksums and error follow:

00000:  c3 fe 43 85 2e 6a f4 54 65 45 38 3c c7 17 a3 32  |..C..j.TeE8<...2|
00000:  ba 54 a9 bd 24 e4 8f 1b 53 51 83 4b 31 ce e5 3d  |.T..$...SQ.K1..=|
crypto.c:2681:ARCFOUR_subdecrypt: KRB5KRB_AP_ERR_BAD_INTEGRITY

[1] Incedentally Ethereal doesn't actually decode the fw_data
    correctly. It get's lumped into the gss chksum.

Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization