****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

Kerberos Network Authentication Protocol over Network Address Translation (NAT)    

*
*

*
*

Kerberos Network Authentication Protocol over Network Address Translation (NAT)



Apr
28

Kerberos authentication protocol might fail in environments that use Network Address Translation (NAT) or DHCP..?

What is causing Kerberos authentication to fail in these environments?

Is this something I need to worry about in my Windows Active Directory (AD) environment?

A: A Kerberos ticket has an optional field called client addresses that can contain the IP addresses of the Kerberos client that's authorized to use that particular ticket. The Kerberos Key Distribution Center (KDC—each Windows 2000 later domain controller hosts a Kerberos KDC service) can use this field to check whether the ticket was sent from the client that initially requested the ticket. As such, the KDC can detect ticket replay attacks in which an impostor tries to impersonate a client by intercepting the client’s ticket and sending it to the KDC to obtain other tickets on the client’s behalf.

If the KDC checks and validates client addresses, Kerberos authentication will fail when Network Address Translation (NAT) is used on the communication link between the Kerberos client and the KDC. Authentication will also fail if the Kerberos client has received a new IP address from a DHCP server while its old address is still in its Kerberos ticket. In these scenarios, you might want to disable the inclusion of client IP addresses in Kerberos client ticket-granting ticket (TGT) requests or disable the checking of these IP addresses on the KDC. Win2K Kerberos clients don't automatically send their client addresses and don't automatically request their client addresses to be included when they request a ticket from a KDC. When a ticket doesn't include client addresses, it can be used from all addresses. This also means that by default, the Kerberos client addresses field won't pose problems when Kerberos is used in NAT or DHCP environments. . . .

 

Now check the following information:

 

Registry entries and values under the Kdc key

 

The registry entries that are listed in this section must be added to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Note If the Kdc key is not listed under Services, you must create the key.

·         

Entry: KdcUseClientAddresses

Type: REG_DWORD

Default Value: 0

Possible values: 0 (false) or any non-zero value (true)

 

This value indicates whether IP addresses will be added in the Ticket-Granting Service Reply (TGS_REP).

 

·         

Entry: KdcDontCheckAddresses

Type: REG_DWORD

Default Value: 1

Possible values: 0 (false) or any non-zero value (true)

 

This value indicates whether IP addresses for the TGS_REQ and the TGT Caddr field will be checked.

 

For further info please check:

 

http://support.microsoft.com/kb/837361

Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003

 

 

SUMMARY

 

This article contains information about registry entries that relate to the Kerberos version 5 authentication protocol in Microsoft Windows Server 2003.

 

INTRODUCTION

 

Kerberos is an authentication mechanism that is used to verify user or host identity. Kerberos is the preferred authentication method for services in Windows Server 2003.

If you are running Windows Server 2003, you can modify Kerberos parameters to help troubleshoot Kerberos authentication issues or to test the Kerberos protocol. To do this, add or modify the registry entries that are listed in the "More Information" section.

 

 

MORE INFORMATION

 

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Note After you finish troubleshooting or testing the Kerberos protocol, remove any registry entries that you add. Otherwise, performance of your computer may be affected.

Registry entries and values under the Parameters key

The registry entries that are listed in this section must be added to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Note If the Parameters key is not listed under Kerberos, you must create the key.

·        Entry: SkewTime
Type: REG_DWORD 
Default Value: 5 (minutes) 

This value is the maximum time difference that is permitted between the client computer and the server that accepts Kerberos authentication. In Windows 2000 checked build version, the default SkewTime value is 2 hours.

Note
A checked build version of the Windows operating system is used in production and testing environments. (A checked build is also known as a debug version.) A checked build has many compiler optimizations turned off. This kind of build helps trace the cause of problems in system software. A checked build turns on many debugging checks in the operating system code and in the system drivers. These debugging checks help the checked build identify internal inconsistencies as soon as they occur. A checked build is larger and is slower to run than an end-user version of Windows.

An end-user version of Windows is also known as a free build version or a retail-build version. In a free build version, debugging information is removed, and Windows is built with full compiler optimizations. A free build version is faster and uses less memory than a checked build version.

·        Entry: LogLevel 
Type: REG_DWORD 
Default Value: 0
 

This value indicates whether events are logged in the system event log. If this value is set to any non-zero value, all Kerberos-related events are logged in the system event log.

·        Entry: MaxPacketSize
Type: REG_DWORD 
Default Value: 1465 (bytes) 

This value is the maximum
User Datagram Protocol (UDP) packet size. If the packet size exceeds this value, TCP
is used.

·        Entry: StartupTime
Type: REG_DWORD 
Default Value: 120 (seconds) 

This value is the time that Windows waits for the
Key Distribution Center (KDC)
to start before Windows gives up.

·        Entry: KdcWaitTime
Type: REG_DWORD 
Default Value: 10 (seconds)

This value is the time Windows waits for a response from a
KDC
.

·        Entry: KdcBackoffTime
Type: REG_DWORD 
Default Value: 10 (seconds)


This value is the time between successive calls to the
KDC
if the previous call failed.

·        Entry: KdcSendRetries
Type: REG_DWORD 
Default Value: 3

This value is the number of times that a client will try to contact a
KDC
.

·        Entry: DefaultEncryptionType
Type: REG_DWORD 
Default Value: 23 (decimal) or 0x17 (hexadecimal)


This value indicates the default encryption type for pre-authentication.

·        Entry: FarKdcTimeout
Type: REG_DWORD 
Default Value: 10 (minutes)


This is the time-out value that is used to invalidate a domain controller from a different site in the domain controller cache.

·        Entry: NearKdcTimeout
Type: REG_DWORD 
Default Value: 30 (minutes)
 

This is the time-out value that is used to invalidate a domain controller in the same site in the domain controller cache.

·        Entry: StronglyEncryptDatagram
Type: REG_BOOL 
Default Value: FALSE
 

This value contains a flag that indicates whether to use 128-bit encryption for datagram packets.

·        Entry: MaxReferralCount
Type: REG_DWORD 
Default Value: 6
 

This value is the number of KDC referrals that a client pursues before the client gives up.

·        Entry: KerbDebugLevel
Type: REG_DWORD 
Default Value: 0xFFFFFFFF


This value is a list of flags that indicate the type and the level of logging that is requested. This kind of logging can be collected on the component level of Kerberos by bitwise or by one or more of the macros that are described in the following table.

Macro Name

Value

Note

DEB_ERROR

0x00000001

This is the default InfoLevel for checked builds. This produces error messages across components.

DEB_WARN

0x00000002

This macro generates warning messages across components. In some cases, these messages can be ignored.

DEB_TRACE

0x00000004

This macro enables general tracing events.

DEB_TRACE_API

0x00000008

This macro enables user API tracing events that are usually logged on entry and on exit to an externally exported function that is implemented through SSPI.

DEB_TRACE_CRED

0x00000010

This macro enables credentials tracing.

DEB_TRACE_CTXT

0x00000020

This macro enables context tracing.

DEB_TRACE_LSESS

0x00000040

This macro enables logon session tracing.

DEB_TRACE_TCACHE

0x00000080

Not implemented

DEB_TRACE_LOGON

0x00000100

This macro enables logon tracing such as in LsaApLogonUserEx2().

DEB_TRACE_KDC

0x00000200

This macro enables tracing before and after calls to KerbMakeKdcCall().

DEB_TRACE_CTXT2

0x00000400

This macro enables additional context tracing.

DEB_TRACE_TIME

0x00000800

This macro enables the time skew tracing that is found in Timesync.cxx.

DEB_TRACE_USER

0x00001000

This macro enables user API tracing that is used together with DEB_TRACE_API and that is found mostly in Userapi.cxx.

DEB_TRACE_LEAKS

0x00002000

 

DEB_TRACE_SOCK

0x00004000

This macro enables Winsock-related events.

DEB_TRACE_SPN_CACHE

0x00008000

This macro enables events that are related to SPN cache hits and misses.

DEB_S4U_ERROR

0x00010000

Not implemented

DEB_TRACE_S4U

0x00020000

 

DEB_TRACE_BND_CACHE

0x00040000

 

DEB_TRACE_LOOPBACK

0x00080000

 

DEB_TRACE_TKT_RENEWAL

0x00100000

 

DEB_TRACE_U2U

0x00200000

 

DEB_TRACE_LOCKS

0x01000000

 

DEB_USE_LOG_FILE

0x02000000

Not implemented

·        Entry: MaxTokenSize
Type: REG_DWORD 
Default Value: 12000 (Decimal) 

This value is the maximum value of the Kerberos token. Microsoft recommends that you set this value to less than
65535
.

·        Entry: SpnCacheTimeout
Type: REG_DWORD 
Default Value: 15 minutes 

This value is the lifetime of the
Service Principal Names (SPN) cache entries. On domain controllers, the SPN cache
is disabled.

·        Entry: S4UCacheTimeout
Type: REG_DWORD 
Default Value: 15 minutes 

This value is the lifetime of the
S4U negative cache entries that are used to restrict the number of S4U
proxy requests from a particular computer.

·        Entry: S4UTicketLifetime
Type: REG_DWORD 
Default Value: 15 minutes
 

This value is the lifetime of tickets that are obtained by S4U proxy requests.

·        Entry: RetryPdc
Type: REG_DWORD 
Default Value: 0 (false) 
Possible values: 0 (false) or any non-zero value (true) 

This value indicates whether the client will contact the primary domain controller for
Authentication Service Requests (AS_REQ
) if the client receives a password expiration error.

·        Entry: RequestOptions
Type: REG_DWORD 
Default Value: Any RFC 1510 value 

This value indicates whether there are additional options that must be sent as
KDC options in Ticket Granting Service requests (TGS_REQ
).

·        Entry: ClientIpAddress
Type: REG_DWORD 
Default Value: 0 (This setting is 0 because of Dynamic Host Configuration Protocol and network address translation issues.)
Possible values: 0 (false) or any non-zero value (true)

This value indicates whether a client
IP address will be added in AS_REQ to force the Caddr
field to contain IP addresses in all tickets.

·        Entry: TgtRenewalTime
Type: REG_DWORD 
Default Value: 600 seconds 

This value is the time that Kerberos waits before it tries to renew a
Ticket Granting Ticket (TGT)
before the ticket expires.

·        Entry: AllowTgtSessionKey
Type: REG_DWORD 
Default Value: 0 
Possible values: 0 (false) or any non-zero value (true) 

This value indicates whether session keys are exported with initial or with cross realm
TGT authentication
. The default value is false for security reasons.

Registry entries and values under the Kdc key

The registry entries that are listed in this section must be added to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Note If the Kdc key is not listed under Services, you must create the key.

·        Entry: KdcUseClientAddresses
Type: REG_DWORD 
Default Value: 0 
Possible values: 0 (false) or any non-zero value (true)

This value indicates whether IP addresses will be added in the
Ticket-Granting Service Reply (TGS_REP)
.

·        Entry: KdcDontCheckAddresses
Type: REG_DWORD 
Default Value: 1 
Possible values: 0 (false) or any non-zero value (true) 

This value indicates whether
IP addresses for the TGS_REQ and the TGT Caddr
field will be checked.

·        Entry: NewConnectionTimeout
Type: REG_DWORD 
Default Value: 10 (seconds) 

This value is the time that an initial
TCP
endpoint connection will be kept open to receive data before it disconnects.

·        Entry: MaxDatagramReplySize
Type: REG_DWORD 
Default Value: 1465 (decimal, bytes) 

This value is the maximum
UDP packet size in TGS_REP and Authentication Service Replies (AS_REP) messages. If the packet size exceeds this value, the KDC returns a KRB_ERR_RESPONSE_TOO_BIG message that requests that the client switch to TCP.

Note Increasing MaxDatagramReplySize
may increase the likelihood of Kerberos UDP packets being fragmented. 

For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

244474 How to force Kerberos to use TCP instead of UDP in Windows

·        Entry: KdcExtraLogLevel
Type: REG_DWORD 
Default Value: 2 
Possible values
:

o   1 (decimal) or 0x1 (hexadecimal): Audit SPN unknown errors.

o   2 (decimal) or 0x2 (hexadecimal): Log PKINIT errors. (PKINIT is an Internet Engineering Task Force (IETF) Internet draft for "Public Key Cryptography for Initial Authentication in Kerberos.")

o   4 (decimal) or 0x4 (hexadecimal): Log all KDC errors.

o   8 (decimal) or 0x8 (hexadecimal): Log KDC warning event 25 in the system log when user asking for S4U2Self ticket does not have sufficient access to target user.

o   16 (decimal) or 0x10 (hexadecimal): Log audit events on encryption type (ETYPE) and bad options errors.

This value indicates what information the KDC will write to event logs and to audits.

·        Entry: KdcDebugLevel
Type: REG_DWORD 
Default Value: 1 for checked build, 0 for free build 

This value indicates whether debug logging is on (1) or off (0). 

If the value is set to
0x10000000 (hexadecimal) or 268435456 (decimal), specific file or line information will be returned in the edata field of KERB_ERRORS as PKERB_EXT_ERROR errors during a KDC
processing failure.

 

 

Article ID: 837361

APPLIES TO:

·        Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

·        Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

·        Microsoft Windows Server 2003, Standard Edition (32-bit x86)

http://support.microsoft.com/kb/837361



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/3349

Leave a comment








*
*

administrator
Author Bio          ★★★★★

Author Name:         administrator
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011