Directory Programming .NET

Active Directory and ADAM programming support for .NET developers
Welcome to Directory Programming .NET Sign in | Join | Help
in Search
Home Forums Files Roller
Directory Programming .NET » General Discussions » Active Directory/ADAM LDAP Dis... » Re: Kerberos Set Password Protocol and credential name format

Kerberos Set Password Protocol and credential name format

Last post 02-05-2010, 12:58 AM by omatrot. 6 replies.
Sort Posts: Previous Next

  •  01-14-2010, 6:58 AM 7717

    Kerberos Set Password Protocol and credential name format

    Hello,

    I have a problem with users credentials fromat when trying to change a password using Kerberos Protocol. This may not be directly related to Kerberos, but I think it's interresting to share :

    The client is located in domain A. The server is located in domain B which DNS name is "b.net".

    If the username format used on client in domain A is "B\name" this is working fine. If it is name@b.net the bind is failing with the following error :

    “The supplied credentials is invalid”, Server Error "8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece", ErrorCode 49

    Is it a DNS problem in domain A for resolving domain controller for domain B ?

    TIA.

     

  •  01-14-2010, 8:11 AM 7719 in reply to 7717

    Re: Kerberos Set Password Protocol and credential name format

    It will be easier if you use ethereal to check what is actually happening.

    You can set the filter to ldap or kerberos protocol. In the KRB request you will be able to check if the server name the client is trying to get the ticket is the one you have specified and of the correct domain/realm .

  •  01-14-2010, 9:24 AM 7720 in reply to 7719

    Re: Kerberos Set Password Protocol and credential name format

    Thanks for the tip. Restarting the client after setting up Network Monitor solved the problem... We'll have to wait for the problem to exhibit again.

  •  01-14-2010, 4:23 PM 7721 in reply to 7720

    Re: Kerberos Set Password Protocol and credential name format

    I've had this problem described to me before but I don't know enough about it tell you what's wrong unfortunately.

    Hopefully you can repro and the network sniff will provide essential details.

  •  02-04-2010, 5:32 AM 7786 in reply to 7721

    Re: Kerberos Set Password Protocol and credential name format

    Here is the network monitor trace for the failed bind. The domain is the good one. The Destination IP 10.150.200.19  is the domain controller. Remeber that the machine MYSERVER is located in domain A (a.net).

    408 10.359375  {UDP:63, IPv4:115} MYSERVER   10.150.200.19 KerberosV5 KerberosV5:AS Request Cname: mywebsite@b.net Realm: b.net Sname: krbtgt/b.net
    409 10.359375  {UDP:63, IPv4:115} 10.150.200.19 MYSERVER   KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
    410 10.359375  {UDP:64, IPv4:115} MYSERVER   10.150.200.19 KerberosV5 KerberosV5:AS Request Cname: mywebsite@b.net Realm: b.net Sname: krbtgt/b.net
    411 10.359375  {UDP:64, IPv4:115} 10.150.200.19 MYSERVER   KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
    412 10.359375 w3wp.exe {LDAP:65, TCP:62, IPv4:115} MYSERVER   10.150.200.19 LDAP LDAP:Bind Request, MessageID: 102, Version: 3
    413 10.359375 w3wp.exe {LDAP:65, TCP:62, IPv4:115} 10.150.200.19 MYSERVER   LDAP LDAP:Bind Response, MessageID: 102, Status: Sasl Bind In Progress
    414 10.359375 w3wp.exe {LDAP:65, TCP:62, IPv4:115} MYSERVER   10.150.200.19 LDAP LDAP:Bind Request, MessageID: 103, Version: 3
    415 10.359375 w3wp.exe {LDAP:65, TCP:62, IPv4:115} 10.150.200.19 MYSERVER   LDAP LDAP:Bind Response, MessageID: 103, Status: Invalid Credentials

    BindResponse: Status: Invalid Credentials, MatchedDN: NULL, ErrorMessage: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece

    Using netbios format for credentials name, it works :

    67 0.187500  {UDP:15, IPv4:4} MYSERVER 10.150.200.19 KerberosV5 KerberosV5:AS Request Cname: mywebsite Realm: b.net Sname: krbtgt/b.net
    68 0.187500  {UDP:15, IPv4:4} 10.150.200.19 MYSERVER KerberosV5 KerberosV5:AS Response Ticket[Realm: b.net, Sname: krbtgt/b.net]
    69 0.187500  {UDP:16, IPv4:4} MYSERVER 10.150.200.19 KerberosV5 KerberosV5:TGS Request Realm: b.net Sname: ldap/dc1.b.net/b.net
    70 0.187500  {UDP:16, IPv4:4} 10.150.200.19 MYSERVER KerberosV5 KerberosV5:TGS Response Cname: mywebsite
    71 0.187500  {LDAP:17, TCP:14, IPv4:4} MYSERVER 10.150.200.19 LDAP LDAP:Bind Request, MessageID: 116, Version: 3
    72 0.187500  {TCP:14, IPv4:4} MYSERVER 10.150.200.19 TCP TCP:[Continuation to #71]Flags=...AP..., SrcPort=4038, DstPort=LDAP(389), PayloadLen=17, Seq=3860893092 - 3860893109, Ack=3419853981, Win=65535 (scale factor 0x0) = 65535
    73 0.187500  {TCP:14, IPv4:4} 10.150.200.19 MYSERVER TCP TCP:Flags=...A...., SrcPort=LDAP(389), DstPort=4038, PayloadLen=0, Seq=3419853981, Ack=3860893109, Win=65535 (scale factor 0x0) = 65535
    74 0.187500  {LDAP:17, TCP:14, IPv4:4} 10.150.200.19 MYSERVER LDAP LDAP:Bind Response, MessageID: 116, Status: Success
    75 0.187500  {LDAP:17, TCP:14, IPv4:4} MYSERVER 10.150.200.19 LDAP LDAP:GSS-API Encrypted Payload
    76 0.203125  {LDAP:17, TCP:14, IPv4:4} 10.150.200.19 MYSERVER LDAP LDAP:GSS-API Encrypted Payload
    77 0.203125  {LDAP:17, TCP:14, IPv4:4} MYSERVER 10.150.200.19 LDAP LDAP:GSS-API Encrypted Payload
    78 0.203125  {TCP:14, IPv4:4} MYSERVER 10.150.200.19 TCP TCP:Flags=...A...F, SrcPort=4038, DstPort=LDAP(389), PayloadLen=0, Seq=3860893366, Ack=3419854243, Win=65273 (scale factor 0x0) = 65273
    79 0.203125  {LDAP:13, TCP:10, IPv4:4} MYSERVER 10.150.200.19 LDAP LDAP:Modify Request, MessageID: 119, Object: CN=topogigio_80d5e8,OU=ACBSOFT,OU=FAXBOX,OU=Preprod,DC=rcs,DC=private
    80 0.203125  {TCP:14, IPv4:4} 10.150.200.19 MYSERVER TCP TCP:Flags=...A...F, SrcPort=LDAP(389), DstPort=4038, PayloadLen=0, Seq=3419854243, Ack=3860893366, Win=65278 (scale factor 0x0) = 65278
    81 0.203125  {TCP:14, IPv4:4} MYSERVER 10.150.200.19 TCP TCP:Flags=...A...., SrcPort=4038, DstPort=LDAP(389), PayloadLen=0, Seq=3860893367, Ack=3419854244, Win=65273 (scale factor 0x0) = 65273
    82 0.203125  {TCP:18, IPv4:4} 10.150.200.19 MYSERVER TCP TCP:Flags=...A...., SrcPort=LDAP(389), DstPort=4038, PayloadLen=0, Seq=3419854244, Ack=3860893367, Win=65278
    83 0.203125  {LDAP:13, TCP:10, IPv4:4} 10.150.200.19 MYSERVER LDAP LDAP:Modify Response, MessageID: 119, Status: Success
    84 0.203125  {LDAP:13, TCP:10, IPv4:4} MYSERVER 10.150.200.19 LDAP LDAP:Unbind Request, MessageID: 120

    Any thoughts ?

  •  02-05-2010, 12:35 AM 7795 in reply to 7786

    Re: Kerberos Set Password Protocol and credential name format

    No, although the details in the network trace look promising. SOMEONE must know what they mean. It appears that the name match is failing because the UPN mywebsite@b.net cannot be found but the sAMAccountName mywebsite can.

    Are you sure there is an object in b.net with UPN mywebsite@b.net? It seems like there should not be to get that particular error, but it is hard to understand where that error comes from if the UPN does actually exist.

    I'd like to see if I can convince someone at MS to take a peek at your post here. There is a ton of detail to look it now.

  •  02-05-2010, 12:58 AM 7796 in reply to 7795

    Re: Kerberos Set Password Protocol and credential name format

    I've just double checked the mywebsite user object in domain b.net for the attributes you suggested:

    sAMAccountName DirectoryString 1 mywebsite
    userPrincipalName DirectoryString 1 mywebsite@b.net


    As you can see, both informations are correct.

    I did not talk about it previously but real domain names and users are replaced here with fakes for security reasons.
View as RSS news feed in XML
© Dunn & Kaplan, 2008