Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
using rdesktop and kerberos auth
3,279 views
Skip to first unread message
Sven Geggus
Jan 7, 2014, 8:08:27 AM1/7/14
to
Hello,
I just discovered, that recent versions of rdesktop seem to support kerberos
authentication.
However it just seems to work to some degree.
It seems to work using a TERMSRV/tserv.do...@DOMAIN.TLD service principal.
I get "Connection established using CredSSP."
However Windows does not let me login but tells me that I have specified an
invalid password (WTF?) or username.
Here is the debug Output I get:
[17563] 1389099777.107443: ccselect module realm chose cache FILE:/tmp/krb5cc_15005_AoKyeA with client principal user...@DOMAIN.TLD for server principal TERMSRV/tserv.do...@DOMAIN.TLD
[17563] 1389099777.107523: Getting credentials user...@DOMAIN.TLD -> TERMSRV/tserv.do...@DOMAIN.TLD using ccache FILE:/tmp/krb5cc_15005_AoKyeA [17563] 1389099777.107604: Retrieving user...@DOMAIN.TLD -> TERMSRV/tserv.do...@DOMAIN.TLD from FILE:/tmp/krb5cc_15005_AoKyeA with result: 0/Success
[17563] 1389099777.107713: Retrieving user...@DOMAIN.TLD -> krbtgt/DOMAI...@DOMAIN.TLD from FILE:/tmp/krb5cc_15005_AoKyeA with result: 0/Success
[17563] 1389099777.107748: Generated subkey for TGS request: rc4-hmac/9175
[17563] 1389099777.107780: etypes requested in TGS request: rc4-hmac
[17563] 1389099777.108237: Sending request (1645 bytes) to DOMAIN.TLD
[17563] 1389099777.108939: Resolving hostname pcdc1.domain.tld
[17563] 1389099777.109099: Initiating TCP connection to stream 10.1.1.10:88
[17563] 1389099777.109575: Sending TCP request to stream 10.1.1.10:88
[17563] 1389099777.111271: Received answer from stream 10.1.1.10:88
[17563] 1389099777.128741: Response was not from master KDC
[17563] 1389099777.128803: TGS reply is for user...@DOMAIN.TLD -> krbtgt/DOMAI...@DOMAIN.TLD with session key rc4-hmac/86A8
[17563] 1389099777.128901: Creating authenticator for user...@DOMAIN.TLD -> TERMSRV/tserv.do...@DOMAIN.TLD, seqnum 602722721, subkey rc4-hmac/B905, session key rc4-hmac/C650
[17563] 1389099777.132791: ccselect module realm chose cache FILE:/tmp/krb5cc_15005_AoKyeA with client principal user...@DOMAIN.TLD for server principal TERMSRV/tserv.do...@DOMAIN.TLD
[17563] 1389099777.132872: Read AP-REP, time 1389099777.128908, subkey rc4-hmac/B905, seqnum 1134916505
Connection established using CredSSP.
Any Idea?
Regards
Sven
--
Trotz der zunehmenden Verbreitung von Linux erfreut sich der Bär,
und - dank Knut - insbesondere der Eisbär, deutlich größerer
Beliebtheit als der Pinguin. (Gefunden bei http://telepolis.de/)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
I just discovered, that recent versions of rdesktop seem to support kerberos
authentication.
However it just seems to work to some degree.
It seems to work using a TERMSRV/tserv.do...@DOMAIN.TLD service principal.
I get "Connection established using CredSSP."
However Windows does not let me login but tells me that I have specified an
invalid password (WTF?) or username.
Here is the debug Output I get:
[17563] 1389099777.107443: ccselect module realm chose cache FILE:/tmp/krb5cc_15005_AoKyeA with client principal user...@DOMAIN.TLD for server principal TERMSRV/tserv.do...@DOMAIN.TLD
[17563] 1389099777.107523: Getting credentials user...@DOMAIN.TLD -> TERMSRV/tserv.do...@DOMAIN.TLD using ccache FILE:/tmp/krb5cc_15005_AoKyeA [17563] 1389099777.107604: Retrieving user...@DOMAIN.TLD -> TERMSRV/tserv.do...@DOMAIN.TLD from FILE:/tmp/krb5cc_15005_AoKyeA with result: 0/Success
[17563] 1389099777.107713: Retrieving user...@DOMAIN.TLD -> krbtgt/DOMAI...@DOMAIN.TLD from FILE:/tmp/krb5cc_15005_AoKyeA with result: 0/Success
[17563] 1389099777.107748: Generated subkey for TGS request: rc4-hmac/9175
[17563] 1389099777.107780: etypes requested in TGS request: rc4-hmac
[17563] 1389099777.108237: Sending request (1645 bytes) to DOMAIN.TLD
[17563] 1389099777.108939: Resolving hostname pcdc1.domain.tld
[17563] 1389099777.109099: Initiating TCP connection to stream 10.1.1.10:88
[17563] 1389099777.109575: Sending TCP request to stream 10.1.1.10:88
[17563] 1389099777.111271: Received answer from stream 10.1.1.10:88
[17563] 1389099777.128741: Response was not from master KDC
[17563] 1389099777.128803: TGS reply is for user...@DOMAIN.TLD -> krbtgt/DOMAI...@DOMAIN.TLD with session key rc4-hmac/86A8
[17563] 1389099777.128901: Creating authenticator for user...@DOMAIN.TLD -> TERMSRV/tserv.do...@DOMAIN.TLD, seqnum 602722721, subkey rc4-hmac/B905, session key rc4-hmac/C650
[17563] 1389099777.132791: ccselect module realm chose cache FILE:/tmp/krb5cc_15005_AoKyeA with client principal user...@DOMAIN.TLD for server principal TERMSRV/tserv.do...@DOMAIN.TLD
[17563] 1389099777.132872: Read AP-REP, time 1389099777.128908, subkey rc4-hmac/B905, seqnum 1134916505
Connection established using CredSSP.
Any Idea?
Regards
Sven
--
Trotz der zunehmenden Verbreitung von Linux erfreut sich der Bär,
und - dank Knut - insbesondere der Eisbär, deutlich größerer
Beliebtheit als der Pinguin. (Gefunden bei http://telepolis.de/)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
theoriginal...@gmail.com
Mar 28, 2014, 2:17:29 AM3/28/14
to
henr...@gmail.com
Apr 15, 2014, 2:19:35 PM4/15/14
to
Hi,
CredSSP / NLA does only use kerberos for server authentication, see my post on following url.
http://social.msdn.microsoft.com/Forums/en-US/da074f0f-0887-4151-88ea-19a671ed91d9/is-it-possible-to-do-true-kerberos-sso-using-rdp-?forum=os_windowsprotocols
Regards,
Henrik Andersson
CredSSP / NLA does only use kerberos for server authentication, see my post on following url.
http://social.msdn.microsoft.com/Forums/en-US/da074f0f-0887-4151-88ea-19a671ed91d9/is-it-possible-to-do-true-kerberos-sso-using-rdp-?forum=os_windowsprotocols
Regards,
Henrik Andersson
0 new messages