14137ff4cSJacques Vidrine@c $Id: win2k.texi,v 1.15 2001/07/19 16:44:41 assar Exp $ 25e9cd1aeSAssar Westerlund 3adb0ddaeSAssar Westerlund@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top 4b528cefcSMark Murray@comment node-name, next, previous, up 5b528cefcSMark Murray@chapter Windows 2000 compatability 6b528cefcSMark Murray 7b528cefcSMark MurrayWindows 2000 (formerly known as Windows NT 5) from Microsoft implements 8b528cefcSMark MurrayKerberos 5. Their implementation, however, has some quirks, 9b528cefcSMark Murraypeculiarities, and bugs. This chapter is a short summary of the things 10b528cefcSMark Murraythat we have found out while trying to test Heimdal against Windows 11b528cefcSMark Murray2000. Another big problem with the Kerberos implementation in Windows 125e9cd1aeSAssar Westerlund2000 is that the available documentation is more focused on getting 135e9cd1aeSAssar Westerlundthings to work rather than how they work and not that useful in figuring 145e9cd1aeSAssar Westerlundout how things really work. 15b528cefcSMark Murray 16b528cefcSMark MurrayThis information should apply to Heimdal @value{VERSION} and Windows 175e9cd1aeSAssar Westerlund2000 Professional. It's of course subject all the time and mostly consists of 18b528cefcSMark Murrayour not so inspired guesses. Hopefully it's still somewhat useful. 19b528cefcSMark Murray 20b528cefcSMark Murray@menu 215e9cd1aeSAssar Westerlund* Configuring Windows 2000 to use a Heimdal KDC:: 225e9cd1aeSAssar Westerlund* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC:: 235e9cd1aeSAssar Westerlund* Create account mappings:: 24b528cefcSMark Murray* Encryption types:: 25b528cefcSMark Murray* Authorization data:: 265e9cd1aeSAssar Westerlund* Quirks of Windows 2000 KDC:: 275e9cd1aeSAssar Westerlund* Useful links when reading about the Windows 2000:: 28b528cefcSMark Murray@end menu 29b528cefcSMark Murray 305e9cd1aeSAssar Westerlund@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability 315e9cd1aeSAssar Westerlund@comment node-name, next, precious, up 325e9cd1aeSAssar Westerlund@section Configuring Windows 2000 to use a Heimdal KDC 335e9cd1aeSAssar Westerlund 345e9cd1aeSAssar WesterlundYou need the command line program called @code{ksetup.exe} which is available 355e9cd1aeSAssar Westerlundin the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional 365e9cd1aeSAssar WesterlundCD-ROM. This program is used to configure the Kerberos settings on a 375e9cd1aeSAssar WesterlundWorkstation. 385e9cd1aeSAssar Westerlund 395e9cd1aeSAssar Westerlund@code{Ksetup} store the domain information under the registry key: 405e9cd1aeSAssar Westerlund@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}. 415e9cd1aeSAssar Westerlund 425e9cd1aeSAssar WesterlundUse the kadmin program in Heimdal to create a host principal in the 435e9cd1aeSAssar WesterlundKerberos realm. 445e9cd1aeSAssar Westerlund 455e9cd1aeSAssar Westerlund@example 465e9cd1aeSAssar Westerlundunix% kadmin 475e9cd1aeSAssar Westerlundkadmin> ank -pw password host/datan.my.domain 485e9cd1aeSAssar Westerlund@end example 495e9cd1aeSAssar Westerlund 505e9cd1aeSAssar WesterlundYou must configure the Workstation as a member of a workgroup, as opposed 515e9cd1aeSAssar Westerlundto a member in an NT domain, and specify the KDC server of the realm 525e9cd1aeSAssar Westerlundas follows: 535e9cd1aeSAssar Westerlund@example 545e9cd1aeSAssar WesterlundC:> ksetup /setdomain MY.REALM 555e9cd1aeSAssar WesterlundC:> ksetup /addkdc MY.REALM kdc.my.domain 565e9cd1aeSAssar Westerlund@end example 575e9cd1aeSAssar Westerlund 585e9cd1aeSAssar WesterlundSet the machine password, i.e. create the local keytab: 595e9cd1aeSAssar Westerlund@example 605e9cd1aeSAssar WesterlundC:> ksetup /setmachpassword password 615e9cd1aeSAssar Westerlund@end example 625e9cd1aeSAssar Westerlund 635e9cd1aeSAssar WesterlundThe workstation must now be rebooted. 645e9cd1aeSAssar Westerlund 655e9cd1aeSAssar WesterlundA mapping between local NT users and Kerberos principals must be specified, 665e9cd1aeSAssar Westerlundyou have two choices: 675e9cd1aeSAssar Westerlund 685e9cd1aeSAssar Westerlund@example 695e9cd1aeSAssar WesterlundC:> ksetup /mapuser user@@MY.REALM nt_user 705e9cd1aeSAssar Westerlund@end example 715e9cd1aeSAssar Westerlund 725e9cd1aeSAssar WesterlundThis will map a user to a specific principal, this allows you to have 735e9cd1aeSAssar Westerlundother usernames in the realm than in your NT user database. (Don't ask 745e9cd1aeSAssar Westerlundme why on earth you would want that...) 755e9cd1aeSAssar Westerlund 765e9cd1aeSAssar WesterlundYou can also say: 775e9cd1aeSAssar Westerlund@example 785e9cd1aeSAssar WesterlundC:> ksetup /mapuser * * 795e9cd1aeSAssar Westerlund@end example 805e9cd1aeSAssar WesterlundThe Windows machine will now map any user to the corresponding principal, 815e9cd1aeSAssar Westerlundfor example @samp{nisse} to the principal @samp{nisse@@MY.REALM}. 825e9cd1aeSAssar Westerlund(This is most likely what you want.) 835e9cd1aeSAssar Westerlund 845e9cd1aeSAssar Westerlund@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability 855e9cd1aeSAssar Westerlund@comment node-name, next, precious, up 865e9cd1aeSAssar Westerlund@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC 875e9cd1aeSAssar Westerlund 885e9cd1aeSAssar WesterlundSee also the Step-by-Step guide from Microsoft, referenced below. 895e9cd1aeSAssar Westerlund 905e9cd1aeSAssar WesterlundInstall Windows 2000, and create a new controller (Active Directory 915e9cd1aeSAssar WesterlundServer) for the domain. 925e9cd1aeSAssar Westerlund 935e9cd1aeSAssar WesterlundBy default the trust will be non-transitive. This means that only users 945e9cd1aeSAssar Westerlunddirectly from the trusted domain may authenticate. This can be changed 955e9cd1aeSAssar Westerlundto transitive by using the @code{netdom.exe} tool. 965e9cd1aeSAssar Westerlund 975e9cd1aeSAssar WesterlundYou need to tell Windows 2000 on what hosts to find the KDCs for the 985e9cd1aeSAssar Westerlundnon-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000 995e9cd1aeSAssar Westerlundto use a Heimdal KDC}. 1005e9cd1aeSAssar Westerlund 1015e9cd1aeSAssar WesterlundThis need to be done on all computers that want enable cross-realm 1025e9cd1aeSAssar Westerlundlogin with @code{Mapped Names}. 1035e9cd1aeSAssar Westerlund 1045e9cd1aeSAssar WesterlundThen you need to add the inter-realm keys on the Windows kdc. Start the 1055e9cd1aeSAssar WesterlundDomain Tree Management tool. (Found in Programs, Administrative tools, 1065e9cd1aeSAssar WesterlundActive Directory Domains and Trusts). 1075e9cd1aeSAssar Westerlund 1085e9cd1aeSAssar WesterlundRight click on Properties of your domain, select the Trust tab. Press 1095e9cd1aeSAssar WesterlundAdd on the appropriate trust windows and enter domain name and 1105e9cd1aeSAssar Westerlundpassword. When prompted if this is a non-Windows Kerberos realm, press 1115e9cd1aeSAssar WesterlundOK. 1125e9cd1aeSAssar Westerlund 1135e9cd1aeSAssar WesterlundDo not forget to add trusts in both directions. 1145e9cd1aeSAssar Westerlund 1155e9cd1aeSAssar WesterlundYou also need to add the inter-realm keys to the Heimdal KDC. There are 1165e9cd1aeSAssar Westerlundsome tweaks that you need to do to @file{krb5.conf} beforehand. 1175e9cd1aeSAssar Westerlund 1185e9cd1aeSAssar Westerlund@example 1195e9cd1aeSAssar Westerlund[libdefaults] 1205e9cd1aeSAssar Westerlund default_etypes = des-cbc-crc 1215e9cd1aeSAssar Westerlund default_etypes_des = des-cbc-crc 1225e9cd1aeSAssar Westerlund@end example 1235e9cd1aeSAssar Westerlund 1245e9cd1aeSAssar Westerlundsince otherwise checksum types that are not understood by Windows 2000 1255e9cd1aeSAssar Westerlundwill be generated (@xref{Quirks of Windows 2000 KDC}.). 1265e9cd1aeSAssar Westerlund 1275e9cd1aeSAssar WesterlundAnother issue is salting. Since Windows 2000 does not seem to 1285e9cd1aeSAssar Westerlundunderstand Kerberos 4 salted hashes you might need to turn off anything 1295e9cd1aeSAssar Westerlundsimilar to the following if you have it, at least while adding the 1305e9cd1aeSAssar Westerlundprincipals that are going to share keys with Windows 2000. 1315e9cd1aeSAssar Westerlund 1325e9cd1aeSAssar Westerlund@example 1334137ff4cSJacques Vidrine [kadmin]default_keys = v5 v4 1345e9cd1aeSAssar Westerlund@end example 1355e9cd1aeSAssar Westerlund 1365e9cd1aeSAssar WesterlundYou must also set: 1375e9cd1aeSAssar Westerlund 1385e9cd1aeSAssar WesterlundOnce that is also done, you can add the required inter-realm keys: 1395e9cd1aeSAssar Westerlund 1405e9cd1aeSAssar Westerlund@example 1415e9cd1aeSAssar Westerlundkadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM 1425e9cd1aeSAssar Westerlundkadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM 1435e9cd1aeSAssar Westerlund@end example 1445e9cd1aeSAssar Westerlund 1455e9cd1aeSAssar WesterlundUse the same passwords for both keys. 1465e9cd1aeSAssar Westerlund 1475e9cd1aeSAssar WesterlundDo not forget to reboot before trying the new realm-trust (after running 1485e9cd1aeSAssar Westerlund@code{ksetup}). It looks like it might work, but packets are never sent to the 1495e9cd1aeSAssar Westerlundnon-Windows KDC. 1505e9cd1aeSAssar Westerlund 1515e9cd1aeSAssar Westerlund@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability 1525e9cd1aeSAssar Westerlund@comment node-name, next, precious, up 1535e9cd1aeSAssar Westerlund@section Create account mappings 1545e9cd1aeSAssar Westerlund 1555e9cd1aeSAssar WesterlundStart the @code{Active Directory Users and Computers} tool. Select the 1565e9cd1aeSAssar WesterlundView menu, that is in the left corner just below the real menu (or press 1575e9cd1aeSAssar WesterlundAlt-V), and select Advanced Features. Right click on the user that you 1585e9cd1aeSAssar Westerlundare going to do a name mapping for and choose Name mapping. 1595e9cd1aeSAssar Westerlund 1605e9cd1aeSAssar WesterlundClick on the Kerberos Names tab and add a new principal from the 1615e9cd1aeSAssar Westerlundnon-Windows domain. 1625e9cd1aeSAssar Westerlund 1635e9cd1aeSAssar Westerlund@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability 164b528cefcSMark Murray@comment node-name, next, previous, up 165b528cefcSMark Murray@section Encryption types 166b528cefcSMark Murray 167b528cefcSMark MurrayWindows 2000 supports both the standard DES encryptions (des-cbc-crc and 1685e9cd1aeSAssar Westerlunddes-cbc-md5) and its own proprietary encryption that is based on MD4 and 1695e9cd1aeSAssar Westerlundrc4 that is documented in and is supposed to be described in 1705e9cd1aeSAssar Westerlund@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}. New users will get both 1715e9cd1aeSAssar WesterlundMD4 and DES keys. Users that are converted from a NT4 database, will 1725e9cd1aeSAssar Westerlundonly have MD4 passwords and will need a password change to get a DES 1735e9cd1aeSAssar Westerlundkey. 174b528cefcSMark Murray 1755e9cd1aeSAssar WesterlundHeimdal implements both of these encryption types, but since DES is the 1765e9cd1aeSAssar Westerlundstandard and the hmac-code is somewhat newer, it is likely to work better. 1775e9cd1aeSAssar Westerlund 1785e9cd1aeSAssar Westerlund@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability 179b528cefcSMark Murray@comment node-name, next, previous, up 180b528cefcSMark Murray@section Authorization data 181b528cefcSMark Murray 182b528cefcSMark MurrayThe Windows 2000 KDC also adds extra authorization data in tickets. 183b528cefcSMark MurrayIt is at this point unclear what triggers it to do this. The format of 1845e9cd1aeSAssar Westerlundthis data is only available under a ``secret'' license from Microsoft, 1855e9cd1aeSAssar Westerlundwhich prohibits you implementing it. 1865e9cd1aeSAssar Westerlund 1875e9cd1aeSAssar WesterlundA simple way of getting hold of the data to be able to understand it 188b528cefcSMark Murraybetter is described here. 189b528cefcSMark Murray 190b528cefcSMark Murray@enumerate 191b528cefcSMark Murray@item Find the client example on using the SSPI in the SDK documentation. 192b528cefcSMark Murray@item Change ``AuthSamp'' in the source code to lowercase. 193b528cefcSMark Murray@item Build the program. 194b528cefcSMark Murray@item Add the ``authsamp'' principal with a known password to the 195b528cefcSMark Murraydatabase. Make sure it has a DES key. 196b528cefcSMark Murray@item Run @kbd{ktutil add} to add the key for that principal to a 197b528cefcSMark Murraykeytab. 198b528cefcSMark Murray@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp 199b528cefcSMark Murray--dump-auth=file} where file is an appropriate file. 200b528cefcSMark Murray@item It should authenticate and dump for you the authorization data in 201b528cefcSMark Murraythe file. 202b528cefcSMark Murray@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for 203b528cefcSMark Murrayanalyzing the data. 204b528cefcSMark Murray@end enumerate 205b528cefcSMark Murray 2065e9cd1aeSAssar Westerlund@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability 2075e9cd1aeSAssar Westerlund@comment node-name, next, previous, up 2085e9cd1aeSAssar Westerlund@section Quirks of Windows 2000 KDC 2095e9cd1aeSAssar Westerlund 2105e9cd1aeSAssar WesterlundThere are some issues with salts and Windows 2000. Using an empty salt, 2115e9cd1aeSAssar Westerlundwhich is the only one that Kerberos 4 supported and is therefore known 2125e9cd1aeSAssar Westerlundas a Kerberos 4 compatible salt does not work, as far as we can tell 2135e9cd1aeSAssar Westerlundfrom out experiments and users reports. Therefore, you have to make 2145e9cd1aeSAssar Westerlundsure you keep around keys with all the different types of salts that are 2155e9cd1aeSAssar Westerlundrequired. 2165e9cd1aeSAssar Westerlund 2175e9cd1aeSAssar WesterlundMicrosoft seems also to have forgotten to implement the checksum 2185e9cd1aeSAssar Westerlundalgorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name 2195e9cd1aeSAssar Westerlundmapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key 2205e9cd1aeSAssar Westerlundis used. To make the KDC return only @code{des-cbc-crc} you must delete 2215e9cd1aeSAssar Westerlundthe @code{des-cbc-md5} key from the kdc using the @code{kadmin 2225e9cd1aeSAssar Westerlunddel_enctype} command. 2235e9cd1aeSAssar Westerlund 2245e9cd1aeSAssar Westerlund@example 2255e9cd1aeSAssar Westerlundkadmin del_enctype lha des-cbc-md5 2265e9cd1aeSAssar Westerlund@end example 2275e9cd1aeSAssar Westerlund 2285e9cd1aeSAssar WesterlundYou should also add the following entries to the @file{krb5.conf} file: 2295e9cd1aeSAssar Westerlund 2305e9cd1aeSAssar Westerlund@example 2315e9cd1aeSAssar Westerlund[libdefaults] 2325e9cd1aeSAssar Westerlund default_etypes = des-cbc-crc 2335e9cd1aeSAssar Westerlund default_etypes_des = des-cbc-crc 2345e9cd1aeSAssar Westerlund@end example 2355e9cd1aeSAssar Westerlund 2365e9cd1aeSAssar WesterlundThese configuration options will make sure that no checksums of the 2375e9cd1aeSAssar Westerlundunsupported types are generated. 2385e9cd1aeSAssar Westerlund 2395e9cd1aeSAssar Westerlund@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability 2405e9cd1aeSAssar Westerlund@comment node-name, next, previous, up 2415e9cd1aeSAssar Westerlund@section Useful links when reading about the Windows 2000 2425e9cd1aeSAssar Westerlund 2434137ff4cSJacques VidrineSee also our paper presented at the 2001 usenix Annual Technical 2444137ff4cSJacques VidrineConference, available in the proceedings or at 2454137ff4cSJacques Vidrine@url{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}. 2464137ff4cSJacques Vidrine 2475e9cd1aeSAssar WesterlundThere are lots of text about Kerberos on Microsoft's web site, here is a 2485e9cd1aeSAssar Westerlundshort list of the interesting documents that we have managed to find. 2495e9cd1aeSAssar Westerlund 2505e9cd1aeSAssar Westerlund@itemize @bullet 2515e9cd1aeSAssar Westerlund 2525e9cd1aeSAssar Westerlund@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability - 2535e9cd1aeSAssar Westerlund@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp} 2545e9cd1aeSAssar WesterlundKerberos GSS-API (in Windows-ize SSPI), Windows as a client in a 2555e9cd1aeSAssar Westerlundnon-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and 2565e9cd1aeSAssar Westerlundadding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000 2575e9cd1aeSAssar Westerlundand a Heimdal KDC}.). 2585e9cd1aeSAssar Westerlund 2595e9cd1aeSAssar Westerlund@item Windows 2000 Kerberos Authentication - 2605e9cd1aeSAssar Westerlund@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp} 2615e9cd1aeSAssar WesterlundWhite paper that describes how Kerberos is used in Windows 2000. 2625e9cd1aeSAssar Westerlund 2635e9cd1aeSAssar Westerlund@item Overview of kerberos - 2645e9cd1aeSAssar Westerlund@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP} 2655e9cd1aeSAssar WesterlundLinks to useful other links. 2665e9cd1aeSAssar Westerlund 2675e9cd1aeSAssar Westerlund@item Klist for windows - 2685e9cd1aeSAssar Westerlund@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm} 2695e9cd1aeSAssar WesterlundDescribes where to get a klist for Windows 2000. 2705e9cd1aeSAssar Westerlund 2715e9cd1aeSAssar Westerlund@item Event logging for kerberos - 2725e9cd1aeSAssar Westerlund@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}. 2735e9cd1aeSAssar WesterlundBasicly it say that you can add a registry key 2745e9cd1aeSAssar Westerlund@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel} 2755e9cd1aeSAssar Westerlundwith value DWORD equal to 1, and then you'll get logging in the Event 2765e9cd1aeSAssar WesterlundLogger. 2775e9cd1aeSAssar Westerlund 2785e9cd1aeSAssar Westerlund@item Access to the active directory through LDAP 2795e9cd1aeSAssar Westerlund@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm} 2805e9cd1aeSAssar Westerlund 2815e9cd1aeSAssar Westerlund@end itemize 2825e9cd1aeSAssar Westerlund 2835e9cd1aeSAssar WesterlundOther useful programs include these: 2845e9cd1aeSAssar Westerlund 2855e9cd1aeSAssar Westerlund@itemize @bullet 2865e9cd1aeSAssar Westerlund@item pwdump2 2875e9cd1aeSAssar Westerlund@url{http://www.webspan.net/~tas/pwdump2/} 2885e9cd1aeSAssar Westerlund@end itemize 289