[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
About one unknown padata type 129
- To: heimdal-discuss@sics.se
- Subject: About one unknown padata type 129
- From: Ralph <ralph.zhang@gmail.com>
- Date: Tue, 14 Nov 2006 09:42:49 +0800
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TbP0G4WEv4FHy4a0niLM3OA4+SFmVj/Af4IerVkg5sJ37MQafFqvAwZe7OP5Av0omyaC943AyQjzMxPKVz7e6hSTI4FjHFyqM6agejPv0Fw1bYrmz/kpqkJopO/+y7Ph3JgBjWwm+jVfGL2nRMxzvPBgoxKfs7DsD1iOglQs1Vo=
- In-Reply-To: <553b71c40611130330k1903d212y91e840c86513d235@mail.gmail.com>
- References: <553b71c40611130330k1903d212y91e840c86513d235@mail.gmail.com>
- Sender: owner-heimdal-discuss@sics.se
Hi everyone,
I'm a newbie to Kerberos and Heimdal and I'm interested in Kerberos
Delegation, which is very useful. From windows 2003, ms added a new
functionality called kerberos extenstion including S4U2Self and
S4U2Proxy. With these two extensions, we can confirugre the KDC to let
a specified user or computer to support constrained delegation and the
authentication protocol transtion. In short, the client can use any
protocol to authenciate itself to the delegation server, after that,
the delegation server can use S4U2Self and S4U2Proxy to access other
specified services on the client's behalf.
I tried to setup a testing environment which proves that's useful and
convenient. However, after looking into the network traffic, I found
there is a unknown padata type (129) inside the first TGS_REQ sent
from delegation server to KDC. Can anyone here know what's its format
and field descriptions?
Here is some information may be helpful.
1. Delegation service sends a AS_REQ to the KDC to authenticate
itself. Inside this AS_REQ, there is a padata including encrypted
client time stamp.
2. Once getting the AS_REP from the KDC, the delegation service will
get the tgt ticket.
3. Delegation service sends a TGS_REQ to the KDC to request a ticket
accessing itself on the client's behalf. Inside this TGS_REQ, besides
a tgt ticket, there is another padata with the type (129). This piece
of padata does contain the client information, like user name and
realm. And, it's unencrypted text. So far, I don't know its format and
field descriptions.
4. Once getting TGS_REQ from the KDC, the delegation service will get
another tgs ticket ( means client's authentication to delegation
service). In the following requests, the delegation will send two
tickets to KDC to get the requests accessing other services underneath
this domain.
Do you guys know any piece of information of this request?
Thanks a lot.
Ralph