Problem in running gss.exe of kfw 2.6 using MSLSA cache and using Active Directory as kdc
Vikas Gandhi
I am experimenting with kfw 2.6 which is supposed to be
I am facing a weird problem may be due to wrong settings or what???
Following are the details
Server: Windows 2003
KDC: Active Directory
Client : gss.exe
MIT Client: kfw 2.6
GSS-API error wrapping message: No context has been established
GSS-API error wrapping message: Validation error
krb5.ini
[domain_realm]
beetle.QDMS.CO.IN = QDMS.CO.IN
[libdefaults]
default_keytab_name = .\\krb5kt
default_realm = QDMS.CO.IN
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ticket_lifetime = 600
[realms]
QDMS.CO.IN = {
admin_server = beetle
kdc = beetle.qdms.co.in:88
}
My gss.exe UI says this
Hostname: beetle.qdms.co.in
port :88
gss service name: test
test message: hello
Cccache name: MSLSA:
Mechanisn(OID):1.2.840.113554.1.2.2
Options are
a) verbose output
b) no auth
The error that I get is this
GSS-API error wrapping message: No context has been established
GSS-API error wrapping message: Validation error
Please make me understand where I am faulting
Regards
Vikas
Jeffrey Altman
The version of the GSS-SSPI server which is shipped
as part of the MS SDK is incompatible with the GSS.EXE
as shipped in KFW 2.6. We are working with Microsoft
to release updated versions of the example code.
Jeffrey Altman
Vikas Gandhi
Also I tried to run the gss-server that comes along where I am
getting....
C:\OSBA\kfw-2.6-final\src\athena\auth\krb5\src\appl\gss-sample\obj\i386\dbg>gss-server.exe
-port 4444 -verbose windms/beetle.qdms.co.in
GSS-API error acquiring credentials: Miscellaneous failure
GSS-API error acquiring credentials: No such file or directory
My krb5.ini is lying in the directory where I am running the samples.
Also I have given an environment variable as KRB5CCNAME=MSLSA:
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<4069C657...@nyc.rr.com>...
Jeffrey Altman
keytab file containing the server keys for the service principal?
Vikas Gandhi
C:\OSBA\kfw-2.6-final\src\athena\auth\krb5\src\appl\gss-sample\obj\i386\dbg>gss-server.exe
credentials: Miscellaneous failure GSS-API error acquiring
credentials: No such file or directory
Are my krb5.ini correct
C:\kfw-2.6-final\src\athena\auth\krb5\src\appl\gss-sample\obj\i386\dbg>cat
c:\WINDOWS\krb5.ini [domain_realm]
.QDMS.CO.IN = QDMS.CO.IN
QDMS.CO.IN = QDMS.CO.IN
[libdefaults]
default_realm = QDMS.CO.IN
default_keytab_name = .\\krb5kt
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ticket_lifetime = 600
[realms]
QDMS.CO.IN = {
admin_server = beetle
kdc = beetle.qdms.co.in:88
}
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<406A5EB9...@nyc.rr.com>...
Vikas Gandhi
I am also not able to do kinit also
It gives me kinit(v5): No credentials cache found while getting default ccache
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<406A5EB9...@nyc.rr.com>...
Jeffrey Altman
Where is your krb5kt file? and is there a service key in the file?
As for kinit, you cannot use 'kinit' with MSLSA: ccaches since the
MSLSA: ccache is read-only. MSLSA: only works if you have already
performed a login via Windows and the current session is authenticated
using the Microsoft Kerberos SSP.
Vikas Gandhi
I understand that krb5kt is equivalent of keytab in unix.
But I know that there is no use of kinit but as I do not know the real
problem I was just trying my way to assess what is the answer to it.
Next can I understand/debug more things than what I see...some debug
option in samples.
Jeffrey where actually I am faulting ????
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<406AFED7...@nyc.rr.com>...
Jeffrey Altman
must know its key. If it does not know its key, then it cannot
decode the service ticket presented to it by the gss client.
Jeffrey Altman
Vikas Gandhi
I made a new user mittest thru Administrator. Then I created a new
krb5kt file.
ktpass –princ mittest/beetle.qdms.co.in –mapuser mittest -pass
mittest -out krb5kt
I copied the file to %WINDIR% and the place where I was running the
gss-server.exe and I am getting the same error.
gss-server.exe -port 5555 -verbose test
GSS-API error acquiring credentials: Miscellaneous failure
GSS-API error acquiring credentials: No such file or directory
FYI: I have successfully run the SSPI samples and also run the against
GSSAPI samples in unix. So I feed there is something which I am not
able to understand.
Can u please guide me further.
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<406BB45C...@nyc.rr.com>...
Vikas Gandhi
The MSLSA: credential cache relies on the ability to extract the
entire
Kerberos ticket including the session key from the Kerberos LSA. In
an
attempt to increase security Microsoft has begun to implement a
feature
by which they no longer export the session keys for Ticket Getting
Tickets.
This has the side effect of making them useless to the MIT krb5
library
when attempting to request additional service tickets.
This new feature has been seen in Windows 2003 Server, Windows 2000
Server SP4,
and Windows XP SP2 Beta. We assume that it will be implemented in all
future
Microsoft operating systems supporting the Kerberos SSPI. Microsoft
does work
closely with MIT and has provided a registry key to disable this new
feature.
Can this be a factor for not being able to run the gss-server????
Where can I find this registry key to disable this new feature as I am
using windows 2003.
Thanks
Vikas
vga...@quark.co.in (Vikas Gandhi) wrote in message news:<3b5385f6.0404...@posting.google.com>...
> Hi Jeffrey
> I made a new user mittest thru Administrator. Then I created a new
> krb5kt file.
> ktpass ?princ mittest/beetle.qdms.co.in ?mapuser mittest -pass
Jeffrey Altman
> Can this be a factor for not being able to run the gss-server????
> Where can I find this registry key to disable this new feature as I am
> using windows 2003.
The key is listed in the release notes and is automatically set by the
KFW 2.6 installer.
No, this functionality would not affect the gss-server.exe as the
gss-server.exe does not obtain keys from the MSLSA but instead must
obtain keys from a keytab file.
Jeffrey Altman
Vikas Gandhi
Then I started running the server and this was successful!!!!
Now the client part It cribs
C:\gss>gss-client.exe -port 4444 beetle mittest hello
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: No credentials cache found
I rechecked whether I have the right set of variables or not
echo %KRB5CCNAME% gives me MSLSA:
Is there anything else that is missing ????
Some other registry setting ???
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<406D5BEA...@nyc.rr.com>...
Vikas Gandhi
environment variable.
Now I am facing problems to run the gss-client. I have set the
%KRB5CCNAME% to MSLSA:
I was getting
gss-client.exe -port 4444 beetle mittest hello
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: No credentials cache found
Then from Release notes. I even edited the registry for this
C. MSLSA: credential cache client principal identity generation
1. (HKCU\Software\MIT\Kerberos5,PreserveInitialTicketIdentity) if
defined 2. (HKLM\Software\MIT\Kerberos5,PreserveInitialTicketIdentity)
if defined 3. Default is 1.
Still the problem is the same.
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<406D5BEA...@nyc.rr.com>...
Vikas Gandhi
HKLM\Software\MIT\Kerberos5\
PreserveInitialTicketIdentity = 0x0 (DWORD)
HKCU\Software\MIT\Kerberos5\
PreserveInitialTicketIdentity = 0x0 (DWORD)
and introduced new entry
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
Still the resulta are the sane
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<406D5BEA...@nyc.rr.com>...
Jeffrey Altman
> Finally I found my mistake. I put a variable set KRB5_KTNAME=.\\krb5kt
> Then I started running the server and this was successful!!!!
> Now the client part It cribs
> C:\gss>gss-client.exe -port 4444 beetle mittest hello
> GSS-API error initializing context: Miscellaneous failure
> GSS-API error initializing context: No credentials cache found
>
> I rechecked whether I have the right set of variables or not
> echo %KRB5CCNAME% gives me MSLSA:
> Is there anything else that is missing ????
> Some other registry setting ???
>
> Regards
> Vikas
try using gss.exe not gss-client.exe on Windows. It is
shipped with KFW 2.6
Jeffrey Altman
> Now I reversed the entry
> HKLM\Software\MIT\Kerberos5\
> PreserveInitialTicketIdentity = 0x0 (DWORD)
> HKCU\Software\MIT\Kerberos5\
> PreserveInitialTicketIdentity = 0x0 (DWORD)
> and introduced new entry
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
> AllowTGTSessionKey = 0x01 (DWORD)
> Still the resulta are the sane
>
> Regards
> Vikas
What does "klist.exe -C" report?
Vikas Gandhi
klist.exe -C
Usage: klist.exe <tickets | tgt | purge>
When I Used kfw klist
C:\kfw-2.6-final\src\target\bin\i386\dbg\klist.exe -C
I get a blank line.
------------------------------
Next I have used both gss.exe and gss-client.exe C:\gss>gss-server.exe
-port 4442 -verbose mittest reading token flags: Bad file descriptor
reading token flags: Bad file descriptor reading token flags: Bad file
descriptor reading token flags: 0 bytes read
The Settings of the gss.exe are
Hostname: beetle
Port:4442
Gss service name: mittest
Text message: hello
CCache name: MSLSA:
Mechanism oid: blank
Output:
GSS-API error initializing context: Miscellaneous failure GSS-API
error initializing context: No credentials cache found
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<4070529D...@nyc.rr.com>...
Jeffrey Altman
> When I Microsoft klist I get
> klist.exe -C
> Usage: klist.exe <tickets | tgt | purge>
>
And what does Microsoft's "klist.exe tgt" report?
And what does KFW's "klist -c MSLSA:" report?
If you don't have credentials then you can't use gss
Vikas Gandhi
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: mittest
DomainName: QDMS.CO.IN
TargetDomainName: QDMS.CO.IN
AltTargetDomainName: QDMS.CO.IN
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 5:30:00
StartTime: 4/5/2004 9:28:09
EndTime: 4/5/2004 19:28:09
RenewUntil: 4/12/2004 9:28:09
TimeSkew: 1/1/1601 5:30:00
C:\>C:\OSBA\kfw-2.6-final\src\target\bin\i386\dbg\klist.exe -c MSLSA:
klist.exe: No credentials cache found while resolving ccache MSLSA:
I tried this by running the samples from Administrator but the same
results.
Jeffrey, U r very right when u say that If I don't have credentials
then I can't use gss. But why I am not able to pick up my credentials
FYI: I am giving a small check list of registry and env variables.
#1
C:\>echo %KRB5CCNAME%
MSLSA:
C:\ >echo %KRB5_KTNAME%
.\\krb5kt
#2
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
#3 krb5.ini located in c:\windows says
[domain_realm]
.QDMS.CO.IN = QDMS.CO.IN
QDMS.CO.IN = QDMS.CO.IN
[libdefaults]
dns_lookup_kdc = true
default_realm = QDMS.CO.IN
default_keytab_name = .\\krb5kt
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ticket_lifetime = 600
[realms]
QDMS.CO.IN = {
admin_server = beetle
kdc = beetle.qdms.co.in:88
}
Is there anything missing in the checklist ???
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<4070529D...@nyc.rr.com>...
Jeffrey Altman
Since you have built from source why don't you trace it in the
debugger. You should be able to figure it out quite easily.
src/athena/auth/krb5/src/lib/krb5/ccache/cc_mslsa.c
Vikas Gandhi
if ( !lstrcmp(L"Kerberos",buffer) )
Success = TRUE;
The value of buffer in NTLM so success is false.
The stack before.....
krb5_32.dll!IsKerberosLogon() Line 465 C
krb5_32.dll!krb5_lcc_resolve(_krb5_context * context=0x003c2e38,
_krb5_ccache * * id=0x0012f75c, const char * residual=0x003c506e)
Line 1102 + 0x5 C
krb5_32.dll!krb5_cc_resolve(_krb5_context * context=0x003c2e38,
const char * name=0x003c5068, _krb5_ccache * * cache=0x0012f75c) Line
122 + 0x14 C
krb5_32.dll!krb5_cc_default(_krb5_context * context=0x003c2e38,
_krb5_ccache * * ccache=0x0012f75c) Line 53 + 0x17 C
krb5_32.dll!krb5int_cc_default(_krb5_context * context=0x003c2e38,
_krb5_ccache * * ccache=0x0012f75c) Line 145 C
gssapi32.dll!acquire_init_cred() Line 200 + 0xd C
gssapi32.dll!krb5_gss_acquire_cred(unsigned int *
minor_status=0x0012fa8c, void * desired_name=0x00000000, unsigned int
time_req=4294967295, gss_OID_set_desc_struct *
desired_mechs=0x00000000, int cred_usage=1, void * *
output_cred_handle=0x0012f8d8, gss_OID_set_desc_struct * *
actual_mechs=0x00000000, unsigned int * time_rec=0x00000000) Line 427
+ 0x36 C
gssapi32.dll!kg_get_defcred(unsigned int * minor_status=0x0012fa8c,
void * * cred=0x0012f8d8) Line 146 + 0x19 C
gssapi32.dll!krb5_gss_init_sec_context(unsigned int *
minor_status=0x0012fa8c, void * claimant_cred_handle=0x00000000, void
* * context_handle=0x0012fd00, void * target_name=0x003c50e8,
gss_OID_desc_struct * mech_type=0x00000000, unsigned int req_flags=6,
unsigned int time_req=0, gss_channel_bindings_struct *
input_chan_bindings=0x00000000, gss_buffer_desc_struct *
input_token=0x00000000, gss_OID_desc_struct * *
actual_mech_type=0x00000000, gss_buffer_desc_struct *
output_token=0x0012fad8, unsigned int * ret_flags=0x0012fcbc, unsigned
int * time_rec=0x00000000) Line 909 + 0xd C
> gssapi32.dll!gss_init_sec_context(unsigned int *
minor_status=0x0012fa8c, void * claimant_cred_handle=0x00000000, void
* * context_handle=0x0012fd00, void * target_name=0x003c50e8,
gss_OID_desc_struct * mech_type=0x00000000, unsigned int req_flags=6,
unsigned int time_req=0, gss_channel_bindings_struct *
input_chan_bindings=0x00000000, gss_buffer_desc_struct *
input_token=0x00000000, gss_OID_desc_struct * *
actual_mech_type=0x00000000, gss_buffer_desc_struct *
output_token=0x0012fad8, unsigned int * ret_flags=0x0012fcbc, unsigned
int * time_rec=0x00000000) Line 262 + 0x39 C
gss-sample.exe!client_establish_context() Line 226 + 0x2f C
gss-sample.exe!call_server() Line 386 + 0x25 C
gss-sample.exe!main() Line 679 + 0x49 C
gss-sample.exe!mainCRTStartup() Line 259 + 0x19 C
kernel32.dll!77e4f38c()
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<4071078E...@nyc.rr.com>...
Jeffrey Altman
> In function IsKerberosLogon()
> if ( !lstrcmp(L"Kerberos",buffer) )
> Success = TRUE;
> The value of buffer in NTLM so success is false.
>
If you logon session is not authenticated with Kerberos
but with NTLM, how are you obtaining tickets for display
by microsoft's "kinit.exe tgt"?
Vikas Gandhi
Even I am trying hard to understand the meaning of this. I also run
the sspi samples and they ran fine. So I am more than confused ???
Can u guide me what next should I try to debug ???? How can I cange
NTLM to Kerberos????
Any hind to proceed....
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<4071078E...@nyc.rr.com>...
Jeffrey Altman
> Jeffrey
> Even I am trying hard to understand the meaning of this. I also run
> the sspi samples and they ran fine. So I am more than confused ???
>
> Can u guide me what next should I try to debug ???? How can I cange
> NTLM to Kerberos????
> Any hind to proceed....
>
> Regards
> Vikas
How are you logging into your workstation?
Is the workstation part of a Windows domain or authenticating against a
non-Microsoft KDC?
Is the workstation connected to the network at the time you logged in?
Are there any special GINAs installed on the machine?
You will need to help me identify how the Microsoft Kerberos tickets
are being obtained. The fact that "NTLM" is the logon session
authentication mechanism appears to indicate that the Kerberos tickets
were not obtained during the session initiation. The question is then
when and how did you obtain them?
Vikas Gandhi
First of all I will let you know about my setup. I have a PDC called
as QDMS.CO.IN. This runs on host beetle. I myself have installed all
the s/w on it and running this against Solaris/Mac osX workstations.
I log on to this machine via telminal client and work on it directly
so the question of it not being on the network does not arise.
I myself have viewed the event viewer (security) to see whether I get
the tickets and use kebtray to see the total tickets. When ever I use
microsoft "kinit tickets" I get to see the results. So I have no doubt
that I am not using the wrong things.
FYI: I am using kfw-2.6-src-final.zip which I downloaded on 3/29/2004
Regards
Vikas
Jeffrey Altman <jalt...@nyc.rr.com> wrote in message news:<40718A0F...@nyc.rr.com>...
Jeffrey Altman
situation, Logon Session Authenticated by NTLM and yet having Kerberos
tickets in the LSA Cache can only happen if the KDC on the PDC was not
functioning at the time you logged in. If this is the case, there will
be records in the Event Log indicating that the KDC service had stopped
and started.