A-fanatic blog - Past results do not guarantee future performance

Today: Unwanted patch day

Parzival — Fri, 24 Oct 2008 08:00:00 GMT

Oke we have CAPS-LOCK DAY, independance day.. and today is Unwanted patch day..

please take note of: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

and patch your Windows systems A.S.A.P...

Delegate the right to stop/start replication

Parzival — Wed, 22 Oct 2008 07:26:00 GMT

Let's say you want to isolate a domain controller for a certain time, you would issue the command:

repadmin /options +DISABLE_INBOUND_REPL or/and +DISABLE_OUTBOUND_REPL

normally this command requires Domain Admin/Enterprise Admin privileges.
Why and how to change that below.. first the usual warnings:
Playing with ADSIEDIT could damage your domain, please test everything in a lab environment first blabla.

NOTE1:Although we can stop the replication for a single domain controller (or multiple) issuing repadmin /replicate will not look at the connection object and therefore replication will still occur, so disabling replication this way does not guarantee inbound/outbound replication is halted completely..

NOTE2:The instructions below are ONLY for those circumstances where it might be required.. in my case a domain controller had to be isolated for a short period of time where two scripts run to export and import pre-staged AD data. And while the export/import was running we did not want any changes going in or out of the DC. Only after verification of the exported/imported data, replication for this domain controller is resumed. In my case I delegate the rights to a service account (that I do not want to make Domain Admin). Delegating to persons is not advisable! Also make sure you have enough monitoring to see whether replication is halted/resumed.

WARNING: If replication is not re-enabled within the tombstone lifetime the DC will not automatically replicate anymore and will be treated as unsecure by other DC's to avoid lingering objects, please check http://technet.microsoft.com/en-us/library/cc757610.aspx

The replication of a domain controller is handled through a connection object, that object is created by the KDC (or manually when the KDC is disabled.. ). The connection object defines the from server, the interval of replication, etc etc.. through the options attribute of this object replication can be disabled or enabled. So the security of the object (or more specific the security on the options attribute of the object) defines who can enable/disable replication for a specific connection. In normal conditions only SYSTEM, Domain Administrators and Enterprise Administrators have the full control rights on these objects.

Now how to change it: Open Adsiedit and browse to the CN=<DC>,CN=Servers,CN=<SITE>,CN=SITES,CN=Configuration,DC=<DOMAIN>,DC=<EXT>

below the server entry you will see the connection object with it's GUID . Right click that and select properties, then select the security tab, click Advanced, click add and add the account you like, now do not click OK yet, click properties and select Read Options, Write Options and click OK, OK, OK.

NOTE3: The options attribute is not soley used for disable/enable replication, it is also used to make a DC a GC etc.. delegating the rights to this attribute also gives the delegated account these rights!

And a big thanks to: ActiveDir.org and Spat for the info!

Replication tasks

Parzival — Tue, 21 Oct 2008 08:36:00 GMT

When setting up delegation for replication, or other replication tasks many struggle to find the right object/attribute in the AD. Just found a neat link from Microsoft that could come in handy: http://technet.microsoft.com/en-us/library/cc756075.aspx

With entries like:

Enable Change Notification between sites (only for IP transport links)

WP on cn=<SiteLinkName>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where the SiteLinkName identifies the associated site link, to modify the options attribute

or:

Specify a fixed-port for RPC-based replication

WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry TCP/IP Port

Next to come on this blog, delegating the right to disable/enable replication to a specific DC !

Repadmin /expert

Parzival — Wed, 10 Sep 2008 11:53:00 GMT

Repadmin is the tool used to troubleshoot replication in an Active Directory forest.. commands like repadmin /replsum (to view replication summary) or repadmin /showutdvec (to view USN per domain controller).. are common commands.. it get's tougher when we want to create or modify links during troubleshooting.. then we use /add to add replication links between two servers..

But aren't replication links the what we see in Sites & Services?
Actually no.. the links are the actual replication agreements between the two servers, each partition of the AD has it's own replication link per server.. to view them we can use repadmin:

Repadmin: running command /showconn against full DC localhost
Base DN: CN=DATACENTER1,CN=Sites,CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
==== KCC CONNECTION OBJECTS ============================================
Connection --
    Connection name : 28e853b9-4c32-4288-87c7-d4b09beaab97
    Server DNS name : DC01.ROOTDOMAIN.LOCAL
    Server DN name : CN=NTDS Settings,CN=DC01,CN=Servers,CN=DATACENTER1,CN=Sites,CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
        Source: DATACENTER2\DC02
                No Failures.
        TransportType: IP
        options: isGenerated overrideNotifyDefault
        ReplicatesNC: CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
        Reason: IntersiteTopology
                Replica link has been added.
        ReplicatesNC: DC=DomainDnsZones,DC=ROOTDOMAIN,DC=LOCAL
        Reason: IntersiteTopology
                Replica link has been added.
        ReplicatesNC: DC=ForestDnsZones,DC=ROOTDOMAIN,DC=LOCAL
        Reason: IntersiteTopology
                Replica link has been added.
        ReplicatesNC: DC=ROOTDOMAIN,DC=LOCAL
        Reason: IntersiteTopology
                Replica link has been added.
Connection --
    Connection name : 3329e0ea-9caa-4fd8-92aa-12605fdf4773
    Server DNS name : DC01.ROOTDOMAIN.LOCAL
    Server DN name : CN=NTDS Settings,CN=DC01,CN=Servers,CN=DATACENTER1,CN=Sites,CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL

So in the above text we have DC1 that has a replication object to DC2` .. within that replication object multiple links exist. As you can see, it replicates ForestDnsZones,DomainDnsZones,Configuration and Domain.. and i can hear you asking What about the schema partition? That actually uses the configuration link to replicate and is therefore not shown.

So you can see the Connection Object (what you see in sites and services) as the container that holds multiple links..

Now ay we have a large forest with a lot of troubles.. DC1 and DC2 do not replicate and the KCC is going nuts about .. well are there is.. then we can do the following: We can disable the KCC, delete the connection objects and create the connections ourselves.. initiate replication and enable the KCC again to figure it out on its own again..There is one advantage to this above the KCC.. the KCC uses as you see in the above output: not the actual servername, but the DN field of the NTDS object of the target server.. using the repadmin /add command you can specify the server based on FQDN or Hostname. Basically disconnecting the referral process within AD for replication and using normal name lookup mechanisms. If you DNS is okay, your servers should be able to find each other and replicate normally.

Now the expert command has two options for adding replication links.. the Repadmin /add command and the Repadmin /addRepsTo Command..
the question raised is.. what's the difference.. can't I just use one and reverse the inbound outbound DC?

The answer is no.. the two different attributes we are referring to in this blog is are Reps-From and Reps-To in the connection objects.
The Reps-From is always used (remember AD is pull mechanism, not push). The Reps-To attribute is only used when a change notification is enabled on the link.. a connection object with a Reps-To in his connection object will tell the source DC to notify the To Partner.. and that partner will use the Reps-From attribute to find his DC to GET the data from..

Basically .. when you have disable replication notification for a connection object in a normal situation connection object does not have a Reps-To attribute. Now note that the RepFrom and RepTo attribute are the actual links below a connection object..

When the KCC is switched on again all values will be overwritten and Reps-From and Reps-To are overwritten..since a new connection object is created.. this new connection object created by the KCC uses the fromServer:CN=NTDS,SERVER... attribute for the connection object.. Notification is switched on or off through the options of the connection object. (in BITS format.. ) not on the connection link..

The Repadmin /add and /AddrepsTo is usually used during crisis situations or when trying to remove lingering objects..

More experthelp can be found using repadmin /experthelp

More info: ? http://technet.microsoft.com/en-us/library/cc811549.aspx

<<more information will follow shortly>>

Deleted DN's in attribute fields

Parzival — Fri, 22 Aug 2008 13:27:00 GMT

Let's say an object in AD has an attribute that is a reference to another object based on DN The targeted object is deleted.. and the attribute field changes to the deleted objects CN like:

CN=name\0ADEL:ff920d6f-d823-4fff-9448-b645bd40d5e2,CN=Deleted Objects,DC=child,DC=ROOTDOMAIN,DC=LOCAL

Now when we try to clone that object to create a new object (for example user copy) the AD U&C MMC could throw an exception saying: The naming context could not be found. This is due to the fact that an LDAP client cannot retrieve the Deleted Objects CN without the proper LDAP control 1.2.840.113556.1.4.417 set. Thus the naming context (and therefore the object) cannot be found and copied to the new object and the copy fails. (at least on 2003DC's)

Microsoft Certified Master: Windows 2008 - Directory

Parzival — Thu, 21 Aug 2008 14:46:00 GMT

!PASSED!

As one of the first (now 26 worldwide), I can now call myself an MCM:Windows 2008-Directory!.. Congrats to all others!

The Microsoft Certified Master: Windows Server 2008, Active Directory program provides the most in-depth and comprehensive training that is available today for the latest version of Windows Server 2008 with a focus on Active Directory. This three-week training program is delivered by recognized experts from Microsoft and Microsoft Partner organizations.

Trial Editions :(

Parzival — Tue, 19 Aug 2008 18:51:00 GMT

Don't you just love them..

anyone knows how to reset the grace period (and let me finish my Kerberos investigation) let me know.....

(windows 2003 SP2)

Kerberos part II

Parzival — Fri, 15 Aug 2008 10:48:00 GMT

Lets have a look at the debug log in unconstraint delegation:

388.500> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
388.500> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
388.468> Kerb-Bnd: KerbInsertBinding binding cache disabled
388.468> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
388.468> KSupp-Trace: Calling KDC: 192.168.10.1
388.468> Kerb-SPN: KerbInsertSpnCacheEntry spn cache disabled
388.468> Kerb-Bnd: KerbInsertBinding binding cache disabled
388.468> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
388.468> KSupp-Trace: Calling KDC: 192.168.10.1

and the constraint one:

384.472> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
384.472> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x29766, accepting 0:0x3e4, client Administrator@ROOTDOMAIN.LOCAL
384.472> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
384.600> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.600> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.600> KSupp-Trace: Calling KDC: 192.168.10.1
384.480> Kerb-Cred: Acquiring cred, S4U required
384.600> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
384.600> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
384.600> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc0000272)
384.484> Kerb-SPN: Found in SPN Cache 00111770 384.484> Kerb-S4u: Trying S4UProxy for ls 0009E9F8
384.600> Kerb-S4u: No match on S4UTarget
384.600> Kerb-Warn: Failed S4Uproxy request c0000272(8)
384.484> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.484> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.484> KSupp-Trace: Calling KDC: 192.168.10.1

Now it is hard to find any link forthe error thrown.. but according to http://technet.microsoft.com/en-us/library/cc738673.aspx it is

0x3

KDC_ERR_BAD_PVNO

Requested protocol version number not supported.

Both machines are Windows 2003 SP2, but the domain controller is not SP2.. let's upgrade..

no luck there, but the error has changed!

472> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
388.472> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x11a81a, accepting 0:0x3e4, client Administrator@ROOTDOMAIN.LOCAL
388.472> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
388.572> Kerb-Warn: KerbGetTgtForService getting new TGT for account
388.572> Kerb-LSess: KerbFindCommonPaEtype using current password of sp01$@ROOTDOMAIN.LOCAL
...

388.572> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
388.572> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
388.572> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc0000272)
388.572> Kerb-S4u: No match on S4UTarget
388.572> Kerb-Warn: Failed S4Uproxy request c0000272(8)
388.508> Kerb-Cred: Acquiring cred, S4U required
388.476> Kerb-S4u: Trying S4UProxy for ls 0009E9F8
388.476> Kerb-Bnd: KerbInsertBinding binding cache disabled
388.476> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
388.476> KSupp-Trace: Calling KDC: 192.168.10.1
388.476> Kerb-SPN: KerbInsertSpnCacheEntry spn cache disabled
388.476> Kerb-Warn: Trying to delegate but no forwardable TGT
388.476> Kerb-Warn: KerbBuildGssChecksum failed to get delegation TGT: 0x8009030e

** Appareantly the server is not able to get a forwardable TGT.. MS sais:

The Kerberos protocol includes a mechanism called delegation of authentication. When this mechanism is used, the client (the requesting service) delegates authentication to a second service by informing the KDC that the second service is authorized to act on behalf of a specified Kerberos security principal, such as a user that has an Active Directory directory service account. The second service can then delegate authentication to a third service.

This is accomplished using a proxy TGT or a forwarded TGT. When a proxy TGT is used, the requesting service obtains a TGT for the third service in the security context of a specific user and then passes the TGT to the second service, which uses it to request service tickets. In this case, the requesting service must know the name of the third service. When a forwarded TGT is used, the requesting service obtains a TGT that is marked forwardable for the second service in the security context of the user. The second service can use this TGT to request tickets for other services as needed.

Only forwardable TGTs can be used for constrained delegation. A TGT can be marked forwardable only if the account under which the requesting service is running has the ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION control flag set. For Forefront TMG, this is the Active Directory computer account of the Forefront TMG computer. This flag is automatically set when the account under which the requesting service is running is configured as trusted for Kerberos constrained delegation in Active Directory.

In adsiedit the current controlflag is set to 4096 -

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

In a galaxy far and far away, we connect

Parzival — Fri, 15 Aug 2008 08:36:00 GMT

In omy investigation towards kerberos constraint delegation I found a funny packet that needed further investigation.. it's a protocol called LTP-DEEPSPACE..

in my trace I saw a connection from one of the clients
192.168.10.2 192.168.10.1 TCP ltp-deepspace > kerberos [SYN] Seq=0 Win=65535 Len=0 MSS=1460

followed by the ACK

192.168.10.1 192.168.10.2 TCP kerberos > ltp-deepspace [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460

Now why would a protocol connect to my Kerberos port.. Google offcourse gave the answer: ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-irtf-dtnrg-ltp-10.txt

This document describes the Licklider Transmission Protocol (LTP),
   designed to provide retransmission-based reliability over links
   characterized by extremely long message round-trip times (RTTs)
   and/or frequent interruptions in connectivity. Since communication
   across interplanetary space is the most prominent example of this
   sort of environment, LTP is principally aimed at supporting "long-
   haul" reliable transmission in interplanetary space, but it has
   applications in other environments as well.

   LTP does Automatic Repeat reQuest (ARQ) of data transmissions by
   soliciting selective-acknowledgment reception reports. It is
   stateful, and has no negotiation or handshakes.

   In an Interplanetary Internet setting deploying the Bundle protocol
   that is being developed by the Delay Tolerant Networking Research
   Group, LTP is intended to serve as a reliable "convergence layer"
   protocol operating in pairwise fashion between adjacent
   Interplanetary Internet nodes that are in direct RF communication.
   In that operational scenario, and potentially in some other
   deployments of the Bundle Protocol, LTP runs directly over a data-
   link layer protocol; when this is the case, forward error correction
   coding and/or checksum mechanisms in the underlying data-link layer
   protocol must assure the integrity of the data passed between the
   communicating entities.

   Since no mechanisms for flow control or congestion control are
   included in the design of LTP, this protocol is not intended or
   appropriate for ubiquitous deployment in the global Internet.

   When LTP is run over UDP, it must only be used for software
   development or in private local area networks. When LTP is not run
   over UDP, it must be run directly over a protocol, (nominally a link-
   layer protocol), that meets the requirements specified in section 5.

Nice to know mankind is looking forward in expanding the boundaries of TCP/IP into space

Kerberos multiple hops!

Parzival — Fri, 08 Aug 2008 10:08:00 GMT

You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.

Basically we want the following to happen:

Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication

In this case, IIS1, IIS2 and IIS3 need to be trusted for delegation. In my test lab I’ve used (http://support.microsoft.com/kb/314404) for the setup..

Reach To IIS server on IIS1

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

Attempt to connect to http://IIS2.rootdomain.local/default.asp by using ServerXMLHTTP

Receiver Status Text: OK (200)

Reach To IIS server on IIS2

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

Attempt to connect to http://IIS3.rootdomain.local/default.asp by using ServerXMLHTTP

Receiver Status Text: OK (200)

Reach To IIS server on IIS3

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

Attempt to connect to http://IIS4.rootdomain.local/default.asp by using ServerXMLHTTP

Receiver Status Text: OK (200)

Reach To IIS server on IIS4

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

So the log file shows you it all works!.. please keep the above information in mind when designing security for your applications!

(explanation: In Microsoft land, each trusted for delegation object requests tickets on behalf of the user instead of using the forwarded ticket from the user). If a trusted object requests a ticket for the next service which is also trusted for delegation the forwardable flag is not cleared, therefore the next hop can re-request tickets on behalf of the user for the next hop. )

So if we look at the traffic on IIS2 (called SQL01 here and IIS3 is called IS02).. you see IIS2 server requesting a ticket on behalf of the Administrator (user account) for the IIS3 service (IS02.rootdomain.local)

*****************************************************************

Constraint Delegation

So you want to set it up for constraint delegation.. users who's computers are not on the domain must be able to login to the same application.. that's where things go wrong!..

Reach To IIS server on SP01
User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!
The user was logged on using Kerberos.
Please do not refresh this page.

Attempt to connect to http://SQL01.rootdomain.local/default.asp by using ServerXMLHTTP
Receiver Status Text: OK (200)

Reach To IIS server on SQL01
User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!
The user was logged on using Kerberos.
Please do not refresh this page.

Attempt to connect to http://IS02.rootdomain.local/default.asp by using ServerXMLHTTP
Receiver Status Text: Unauthorized (401)
You are not authorized to view this page

looks like we can only have two hops.. lets have a look .....

We set the First IIS server to use Constraint Delegation (all services) towards the 2nd IIS server. Again, we take a look at the network..

In the network layer we see the challenge from the IIS webserver (highlighted).. and then NO Kerberos request for a new ticket on behalf of the user.. the servers reconnects to the IIS server and (192.168.10.3) cannot provide it credentials for Kerberos. The webserver switches over to NLTM (Challenge). The server can only answer to the NTLM challenge with the server's key (or Service Account) and therefore breaking the delegation model. (access denied message)

So the question lies in what the first IIS webserver does when requesting a ticket on behalf of the user in Constraint and unConstraint delegation. Again we switch over to the network capture..

In a non constraint delegation model, the 1st webserver requests a ticket with options: 4081000 (forwardable, Renewable, Canonicalize) for the 2nd webserver (url sql01.rootdomain.local).

Now as we enable constraint delegation (allowing users to logon with another authentication protocol) we see the difference:

The ticket itself has the Contrained Delegation flag set! and that should probably be why this ticket cannot be used to get another ticket on behalf of the user on the 2nd webserver.

* The quest continues..

I did another packetsniff let's take a look at what happens in order:

The client connects to the webserver and retrieves an unauthorized:
   17 -7172.250000 192.168.10.2 192.168.10.14 HTTP HTTP/1.1 401 Unauthorized (text/html)
The client requests is Ticket Granting Ticket
   19 -7172.203125 192.168.10.14 192.168.10.1 KRB5 AS-REQ
         KDCOptions: 40810010 (Forwardable, Renewable, Canonicalize, Renewable OK)
         Client Name (Principal): Administrator
         Realm: ROOTDOMAIN.LOCAL
The client receives it's AS
   20 -7172.171875 192.168.10.1 192.168.10.14 KRB5 AS-REP

Then the client wants it's TGS (service ticket)
   21 -7172.156250 192.168.10.14 192.168.10.1 KRB5 TGS-REQ
         KDCOptions: 40800000 (Forwardable, Renewable)
         Server Name (Service and Instance): HTTP/sp01.rootdomain.local
         Name: HTTP
         Name: sp01.rootdomain.local
The client receives the ticket
   22 -7172.140625 192.168.10.1 192.168.10.14 KRB5 TGS-REP
And re-connect to the webserver with authorization
   24 -7172.109375 192.168.10.14 192.168.10.2 HTTP GET / HTTP/1.1
      [truncated] Authorization: Negotiate IFCQYGKwYBBQUCoIIE/TCCBPmgJDAiBgkqhkiC

Let's take it from there and switch to the SP01.rootdomain.local server
The first thing we see is our LDP_DEEPSPACE check (see other posting)
19 -7193.078125 192.168.10.2 192.168.10.1 TCP ltp-deepspace > kerberos [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Although we gave the kerberos ticket for the user already, the next thing we see is another request:
   23 -7193.062500 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 40830000 (Forwardable, Renewable, Constrained Delegation, Canonicalize)
      Server Name (Service and Host): host/sp01.rootdomain.local
         Name-type: Service and Host (3)
         Name: host
         Name: sp01.rootdomain.local

Note that 192.168.10.2 IS the host itself and that the host is requesting a ticket for it'self!, lets compare that to the unconstraint request in another packet sniff: The first packet we see there is the request for the next hop, so the client itself is NOT requesting a host ticket when unconstraint delegation is used:>

   28 -7198.734375 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 40810000 (Forwardable, Renewable, Canonicalize)
      Server Name (Service and Instance): HTTP/sql01.rootdomain.local
         Name-type: Service and Instance (2)
         Name: HTTP
         Name: sql01.rootdomain.local

Followed by another request immediately:
   30 -7198.734375 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 60810010 (Forwardable, Forwarded, Renewable, Canonicalize, Renewable OK)
       Server Name (Service and Instance): krbtgt/ROOTDOMAIN.LOCAL
         Name-type: Service and Instance (2)
         Name: krbtgt
         Name: ROOTDOMAIN.LOCAL

Back to the original constraint delegation packet.. after requesting a ticket for the host, an error is thrown back:
   25 -7193.031250 192.168.10.1 192.168.10.2 KRB5 KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH
      error_code: KRB5KDC_ERR_BADOPTION (13)
      Server Name (Service and Host): host/sp01.rootdomain.local
         Name-type: Service and Host (3)
         Name: host
         Name: sp01.rootdomain.local
      e-data PA-PW-SALT
            Value: 720200C00000000003000000
            NT Status: STATUS_NO_MATCH (0xc0000272)

Appearantly we are not receiving the kerberos ticket, and there is no retry.. the next packet is the next hop request:
34 -7192.640625 192.168.10.2 192.168.10.3 HTTP GET /default.asp HTTP/1.1
37 -7192.062500 192.168.10.3 192.168.10.2 HTTP HTTP/1.1 401 Unauthorized (text/html)

And the request for the next hop ticket:
   43 -7192.046875 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 40830000 (Forwardable, Renewable, Constrained Delegation, Canonicalize)
      Server Name (Service and Instance): HTTP/sql01.rootdomain.local
         Name-type: Service and Instance (2)
         Name: HTTP
         Name: sql01.rootdomain.local

The SQL01 hop tries the same request for the host ticket but receives the same error:
34 -7186.406250 192.168.10.1 192.168.10.3 KRB5 KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH

Now lets investigate the ERRor..

I've enabled kerberos error logging (debug level) and found:

(

How to turn on debug output

There are a number of ways to view the debug output from Kerberos. The easiest way is by logging the debug output to a file and then opening this file in Notepad.

1.	Click Start, click Run, type regedit.exe, and then press ENTER. Caution Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
2.	Open the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
3.	Create the following entry: Value: KerbDebugLevel Type: DWORD Data: c0000043 (this value will print the most standard set of debug messages. Try it first. If you still want to see more output, set it to ffffffff).
4.	Create the following entry in the same registry location: Value: LogToFile Type: DWORD Data: 1
5.	Reproduce the error
6.	Open the file lsass.log, located in the System32 directory of your Windows folder. You can find the debug output inside this file.

)

384.488> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
384.488> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
384.500> Kerb-SPN: Found in SPN Cache 00111770 384.500> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.500> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.500> KSupp-Trace: Calling KDC: 192.168.10.1
384.472> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
384.472> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x29766, accepting 0:0x3e4, client Administrator@ROOTDOMAIN.LOCAL
384.472> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
384.600> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.600> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.600> KSupp-Trace: Calling KDC: 192.168.10.1
384.480> Kerb-Cred: Acquiring cred, S4U required
384.600> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
384.600> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
384.600> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc0000272)
384.484> Kerb-SPN: Found in SPN Cache 00111770 384.484> Kerb-S4u: Trying S4UProxy for ls 0009E9F8
384.600> Kerb-S4u: No match on S4UTarget
384.600> Kerb-Warn: Failed S4Uproxy request c0000272(8)
384.484> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.484> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.484> KSupp-Trace: Calling KDC: 192.168.10.1

So the request for a ticket on behalf of the client fails, therefore the next hop SQL01 can still be reached by the client's initial ticket, however that ticket is limited to only 2 hops. This is also seen on the client (XP) side when requesting the active tickets:

Cached Tickets: (2)

   Server: krbtgt/ROOTDOMAIN.LOCAL@ROOTDOMAIN.LOCAL
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 8/15/2008 21:07:02
      Renew Time: 8/22/2008 11:07:02

   Server: HTTP/sp01.rootdomain.local@ROOTDOMAIN.LOCAL
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 8/15/2008 21:07:02
      Renew Time: 8/22/2008 11:07:02

So after the 2nd hop (SQL) the initial ticket is not valid anymore and cannot be forwarded to the next hop. Access Denied is the result..

Kerberos & PAC validation

Parzival — Mon, 14 Jul 2008 23:40:00 GMT

http://support.microsoft.com/kb/906736

basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and will give the green light.

So in real world:

Say you have a resource, a dc and a client. The clients accesses the resource that is running under a service account, the client retrieves the Kerberos ticket for the resource (if SPN's are registered etc etc) and the client can access. (the resource will get the PAC load, give it to the DC etc). Now the kerberos ticket the client got will be valid for 10 hours offcourse, but lets say the connection to the resource is broken (user closes application or something) and the DC goes down.. now even if the user reconnects to the resource within that 10 hour limit, he will NOT gain access to the resource since the PAC validation will fail! The KB talks about the resolution for that.

Preparing for the visit to MS

Parzival — Wed, 25 Jun 2008 07:18:00 GMT

The time has come, I get to go to Redmond! I will be attending the new Windows 2008 Master program. ..

No holiday trip though, the course runs everyday of the week (including weekends) starting at 8AM with just one day off (probably to catch some required sleep and do homework).

So probably no sleep, lots of new things and hopefully the right to carry the new Master logo.

More information and offcourse if I made it to the top will follow!

How to authenticate

Parzival — Tue, 24 Jun 2008 14:15:00 GMT

So the problem:

All mailboxes of the users are migrated to a central Exchange server, comming from various Exchange 5.5/2003/2003 mailservers (contact me if you want to know how :) ) . and mailboxes where cloned.. now the client needs to be pointed to the new exchange server else Outlook will not work. The challenge, how do you change your mapi profile.

We had 4 scenario's

1: The domain is NT4 no trust or no domain at all!
2: The domain the user is in, has a trust with the Exchange domain
3 The domain the user is in is a Windows 2000/2003/2008 domain no trust
4: The user is in the domain

I've created a script that takes into account these 4 different options and uses them to determine the actual authentication path. To migrate the MAPI profile itself we used the program EXPROFRE.exe.

ExprofRe has to be called like: ExprofRe.exe /logfile= /targetGc=

Problem is, the authentication to the targetGC..

1: When there is no trust and the source domain is NT4 or a standalone machine, we use NTLM passthrough authentication. Inside the script we create a new local user, with the same username and password as a user in the target domain. To add this user (while a regular user is logged in) we do a runas:

Sub CreateProfmigAccount()

ExtDiag " Running in NT migration mode, user account must exist"
strWindir = WshShell.ExpandEnvironmentStrings("%Windir%")

On Error Resume Next

Set objUser = GetObject("WinNT://" & gstrClient & "/" & strMigUser)
If err=0 Then
  Out " Account already exists."
  Exit Sub
Else
  Set objUser = Nothing
  err.clear
End If

Diag " Admin account : " & strLocalAdmin
Diag " Account to create : " & strMigUser

Call MigrationAccountCheck

strProg = "CMD /C NET USER " & strMigUser & " " & Unscramble(strMigPass) & " /ADD"
strCmd = "runas /env /user:" & Unscramble(strLocalAdmin) & " """ & strProg & """"
ExtDiag strCmd
rc=WshShell.Run(strCmd,2,False)
strWindowTitle = strWindir & "\System32\runas.exe"
ExtDiag strWindowTitle
bolResult = False
bolResult = WshShell.AppActivate(strWindowTitle)
while bolResult = False
  StdOut.WriteLine " Focus Failed, retrying."
  WScript.Sleep 50
  bolResult = WshShell.AppActivate(strWindowTitle)
Wend
StdOut.WriteLine " Focus succeeded."
strLocalAdminPass2=Unscramble(strLocalAdminPass)
WshShell.SendKeys(strLocalAdminPass2 & "~")
wscript.sleep 1000
bolCreated = false
Retry = 0
Do While bolCreated = False And Retry < 10
  WScript.Sleep 1000
  Set objUser = GetObject("WinNT://" & gstrClient & "/" & strMigUser)
  If err=0 Then
   Diag " Account created."
   Exit Sub
  Else
   Set objUser = Nothing
   retry = retry + 1
   Diag "Did not find user, rechecking (" & tetry & ")"
   err.clear
  End If
Loop

End Sub

After the local user is created we do roughly the same thing, kicking off the exprofRe with a /netonly option and with the newly created user. Because of the /netonly the GC will be reached with an account that has the same username/password as an account in the target domain. Offcourse the accounts is also deleted afterwards.

2: When there is no trust between the domains, we can use UPN Suffixes. Add a new UPN suffix to the target domain (migrations.local for example). Create a new user on the target domain (GC@migrations.local) and create the exact same on the Windows 2000/2003/2008 domain of the source.

On the client side we can now do a runas /netonly /user:GC@migrations.local Exprof....blabla

3: When there is a trust, just use runas /netonly /user:<targetdomain>\username Exprof blabal

4: just run Exprof with the options

So basically, there are numerous ways to script around authentication, use your imagination to see which one fits your requirements

Sub RunExprofRE(strValue2)
' *********ExProfRedirector runner************************
' Runs ExprofRe with MigUser credentials in RunAs /Netonly
' First sets command ready and creates CMD object
' then runs cmd window with command
' finally enters the password using sendkey's
'*********************************************************

Set StdOut = WScript.StdOut
strLogonServer = WshShell.ExpandEnvironmentStrings("%LogonServer%")

If useRPC=0 Then
  strProg = strExprofRe & " /logfile=" & strLogLocation & "\" & WshNetwork.ComputerName & "-" & "%USERNAME%" & "-" & strValue2 & ".log /q /targetgc=" & strGCServer
  Diag strExprofRe & " /logfile=" & strLogLocation & "\" & WshNetwork.ComputerName & "-" & "%USERNAME%" & "-" & strValue2 & ".log /q /targetgc=" & strGCServer
Else
  strProg = strExprofRe & " /logfile=" & Chr(34) & strLogLocation & "\" & WshNetwork.ComputerName & "-" & "%USERNAME%" & "-" & strValue2 & ".log /q /targetgc=" & strGCServer & " /p=" & strRpcPath
  Diag strExprofRe & " /logfile=" & strLogLocation & "\" & WshNetwork.ComputerName & "-" & "%USERNAME%" & "-" & strValue2 & ".log /q /targetgc=" & strGCServer & " /p=" & strRpcPath
End If

If ScriptMode=4 Then
  'Using only simple command
  Diag "Running Mode 4 of script, running:"
  Diag strProg
  stdOut.WriteLine " Command initialized"
  rc=WshShell.Run(strProg,2,False)
Else
  'Set command ready
  Select Case ScriptMode
   Case 1 'NT4
   strCmd = "runas /env /netonly /user:" & gstrClient & "\" & strMigUser & " " & chr(34) & strProg & chr(34)
   Diag "==> COMMAND THAT WILL BE RAN <===== NT4 Mode"
   Diag strCmd
   Case 2 ' UPN migration
   strCmd = "runas /env /netonly /user:" & strMigUser & " " & chr(34) & strProg & chr(34)
   Diag "==> COMMAND THAT WILL BE RAN <===== UPN Mode"
   Diag strCmd
   Case 3 ' Trusted Domain Migration
   strCmd = "runas /env /netonly /user:" & strMigUser & " " & chr(34) & strProg & chr(34)
   Diag "==> COMMAND THAT WILL BE RAN <===== TRUST Mode"
   Diag strCmd
  End Select

  Diag "Command initialized"
  rc=WshShell.Run(strCmd,2,False)

  strWindowTitle = strWindir & "\System32\runas.exe"
  'Wait for command window
  bolResult = False
  bolResult = WshShell.AppActivate(strWindowTitle)
  while bolResult = False
   ExtDiag " Preparing Command for Execution"
   Wscript.sleep 50
   bolResult = WshShell.AppActivate(strWindowTitle)
  Wend

  stdOut.WriteLine " Executing command"
  'Sending Password
  strMigpass2=Unscramble(strMigPass)
  ExtDiag strMigPass
  WshShell.SendKeys(strMigpass2 & "~")
End If

End Sub

Cops Spying

Parzival — Mon, 19 May 2008 09:24:00 GMT

a nice article in tweakers.net/Parool this morning..

appareantly the cops are hacking into computer systems these days (well did it offcourse for a long long LOOOONG time.. but they admitted it now :) ) .. to place the listning software they use backdoors of unpatched systems, "forgotten USB sticks" and e-mail attachements.. in hope the bad guys are actually dumber than they are..

Offcourse the cops are very enthousiastic about these "new" technologies since they can use your webcam to make pictures, use the mic to hear you talk etc.. and since Skype has a very good encryption this is the easiest way to intercept phone calls. and now for the actual news of this post.. the law does not permit, nor prohibit this method.. it's just not mentioned in the dutch law!.. so the cops say it is legal because of the lack of the law.. opposites claim it is illegal since it is not (yet) approved..

waiting for trial cases.. in the meantime of you are a bad guy.. PATCH your system.. do NOT plug in found USB drives and DO NOT open attachements send by persons you do not know/trust aaah wait.. wasn't that the advice already since like 5 years for everyone!!

Next RID number

Parzival — Thu, 08 May 2008 11:45:00 GMT

So let's say you want to know how many objects are created on a domain controller, you want to see shen it's receiving a new RID pool?

checkout the RID-SET

Set ObjRid= GetObject ("LDAP://CN=RID Set,CN=DC01,OU=Domain Controllers,DC=fabrikam,DC=com")

it lists all the properties that the LOCAL! DC uses to handout RID numbers.. if the rIDPreviousAllocationPool and rIDAllocationPool are the same, the server is still on it's initial RID pool.. but that can also be viewed by looking at the creation and modification date offcourse (whenCreated, whenChanged)

Putting:

Set ObjRid= GetObject ("LDAP://CN=RID Set,CN=NLDATADC04,OU=Domain Controllers,DC=intra,DC=NUMICO,DC=NET")
intRidNumber=objrid.rIDNextRID
wscript.echo "Rid Number:" & intRidNumber

in a script will give you the next RID number.. but that is PER domain controller!

(UPDATE: It is not the nextRID being given out.. it's the last used RID: MS docs are going to be updated)

The large number must be splitted, (for example in LDP Large Integer Converter). Low=number of given out SID's to all DC's (per 500) and high number is top of the RID pool.

Just for fun :)