Jump to content

kerberos TGS for an IP address

Guest Ondrej Sevecek

By Guest Ondrej Sevecek
in Techno Babble

 Share

Recommended Posts

Guest Ondrej Sevecek

Guest Ondrej Sevecek

Posted
Posted

Hello,

 

my tests show the following thing. I would like to hear please a

confirmation of the fact, or something that would explain, what I do

incorrectly or what to change.

 

Vista never uses kerberos for servers (at least http, smb/cifs) which name

is specified by an IP address, is that right?

 

in different words:

 

Vista (as against XP) never ASKS for TGS if the name of the server is

specified as an IP address, is that right?

 

 

By using the work ASKS I would like to stress the fact XP always asks for a

TGS, which may not be available because of an appropriate SPN is missing.

While Vista never asks for the TGS even if a correct SPN exists. I checked

this by using Wireshark. When using an IP address, there is no TGS request

comming from Vista while there IS one comming from XP.

 

 

I can reproduce the problem by taking the following steps:

 

the following serie of steps works correctly as expected:

 

a) have server SRV1.domain.local, IP address 10.10.0.11

style_emoticons/ create DNS A record intranet.domain.local, IP address 10.10.0.11

c) add site "intranet.domain.local" to the Local Intranet sites (IEESC

turned off)

d) purge Kerberos ticket cache

e) restart IE

e) try IE to http://intranet.domain.local (exactly this, not using the short

form)

f) only TGT received, but both TGT and TGS were requested as was seen in

wireshark - this is stil correct because no SPN was still created. So we are

going to create SPN and enable kerberos for the alias.

g) create SPN http/intranet.domain.local

h) purge Kerberos ticket cache

i) restart IE

j) try IE to http://intranet.domain.local (exactly this, not using the short

form)

k) both TGT and TGS were received successfully

 

the same procedure works the same way even for SMB/CIFS access (certainly,

the DisableStrictNameChecking must have been set up to 1)

 

but when I try the same procedure to access http://10.10.0.11 or

\\10.10.0.11 (Local Intranet

site addess, the caches purged out, SPN created etc.) the Vista client not

even asks for TGT - once again as observed by using Wireshark.

 

The client doesn't try Kerberos at all, it uses NTLM as the first method

without trying Kerberos first

 

 

many thanks for any hint.

 

ondra.

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Mervyn Zhang [MSFT]

Guest Mervyn Zhang [MSFT]

Posted
Posted

Hi,

 

Thank you for posting here.

 

According to your description, I understand that:

 

According to Wireshark, Vista doesn¡¯t use Kerberos when visiting resource

using IP address directly.

 

If I have misunderstood the problem, please don't hesitate to let me know.

 

As we know, DNS Server helps us to translate Host Name to IP address when

we visit any Network resource, including visiting KDC, services.

 

When you use SRV1.domain.local, your client has to query the DNS cache or

DNS server to find the IP address(10.10.0.11) and send Kerberos request to

KDC or service server.

 

It makes no difference whether you use IP or Host name. There may be

something wrong with Wireshark.

 

Please use the "klist" to verify if Kerberos was used. On client system,

click Start, type CMD, type "klist tickets", press Enter. Is there any HTTP

records?

 

You can also use the Microsoft Network Monitor 3.2 to analyze traffics.

http://www.microsoft.com/downloads/details...40af-1e08-4a21-

a26b-ec2f4dc4190d&displaylang=en

 

Install Microsoft Network Monitor 3.2, run it on server and clients to

monitor the traffic.

 

If necessary, use the capture filter to monitor only authentication

traffic. If anything unclear, you send the saved capture file and use

Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the files

and then give me the download address.

 

Sincerely,

Mervyn Zhang

Microsoft Online Community Support

 

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Guest Ondrej Sevecek

Guest Ondrej Sevecek

Posted
Posted

I have used klist and also kerbtray (probably not supported but working :-))

to trace the problem and still, Vista seems to not use the kerberos for IP

addresses.

 

many thanks for your help.

 

o.

 

 

"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message

news:%23Bfc1cQhJHA.820@TK2MSFTNGHUB02.phx.gbl...<span style="color:blue">

> Hi,

>

> Thank you for posting here.

>

> According to your description, I understand that:

>

> According to Wireshark, Vista doesn¡¯t use Kerberos when visiting resource

> using IP address directly.

>

> If I have misunderstood the problem, please don't hesitate to let me know.

>

> As we know, DNS Server helps us to translate Host Name to IP address when

> we visit any Network resource, including visiting KDC, services.

>

> When you use SRV1.domain.local, your client has to query the DNS cache or

> DNS server to find the IP address(10.10.0.11) and send Kerberos request to

> KDC or service server.

>

> It makes no difference whether you use IP or Host name. There may be

> something wrong with Wireshark.

>

> Please use the "klist" to verify if Kerberos was used. On client system,

> click Start, type CMD, type "klist tickets", press Enter. Is there any

> HTTP

> records?

>

> You can also use the Microsoft Network Monitor 3.2 to analyze traffics.

> http://www.microsoft.com/downloads/details...40af-1e08-4a21-

> a26b-ec2f4dc4190d&displaylang=en

>

> Install Microsoft Network Monitor 3.2, run it on server and clients to

> monitor the traffic.

>

> If necessary, use the capture filter to monitor only authentication

> traffic. If anything unclear, you send the saved capture file and use

> Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the files

> and then give me the download address.

>

> Sincerely,

> Mervyn Zhang

> Microsoft Online Community Support

>

> ==================================================

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> </span>

Guest Mervyn Zhang [MSFT]

Guest Mervyn Zhang [MSFT]

Posted
Posted

Hi,

 

Thank you for your update.

 

As far as I know, Host name will be translated to IP address on client

before contacting KDC or Service server.

 

1. Please restart the server and use IP address to visit http://10.10.0.11.

After that, run "klist tickets >>c:\kerberos.log".

 

2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist

tickets >>c:\kerberos1.log".

 

3. Visit http/intranet.domain.local and run "klist tickets <span style="color:blue"><span style="color:green">

>>c:kerberos2.log" again.</span></span>

 

Send log files to tfwst@microsoft.com or upload to skydrive for research.

 

Please also try to collect the network Monitor capture files.

 

Sincerely,

Mervyn Zhang

Microsoft Online Community Support

 

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Guest Ondrej Sevecek

Guest Ondrej Sevecek

Posted
Posted

look, this is unnecessary, it actually not even askes for TGT.

 

so the only thing I would like to know:

Vista (the same way as XP) should use kerberos even for IP addresses, right?

 

 

if it is so, I will investigate into the things myself. What I need is just

the confirmation that the things should really work the same way as with XP.

Because according to my long-taking tests, it doesn't use kerberos for IP

addresses and it seemed to me as "by design" feature change.

 

 

ondra.

 

 

 

"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message

news:wOWs6ARhJHA.1700@TK2MSFTNGHUB02.phx.gbl...<span style="color:blue">

> Hi,

>

> Thank you for your update.

>

> As far as I know, Host name will be translated to IP address on client

> before contacting KDC or Service server.

>

> 1. Please restart the server and use IP address to visit

> http://10.10.0.11.

> After that, run "klist tickets >>c:kerberos.log".

>

> 2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist

> tickets >>c:kerberos1.log".

>

> 3. Visit http/intranet.domain.local and run "klist tickets<span style="color:green"><span style="color:darkred">

>>>c:kerberos2.log" again.</span></span>

>

> Send log files to tfwst@microsoft.com or upload to skydrive for research.

>

> Please also try to collect the network Monitor capture files.

>

> Sincerely,

> Mervyn Zhang

> Microsoft Online Community Support

>

> ==================================================

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> </span>

Guest Ondrej Sevecek

Guest Ondrej Sevecek

Posted
Posted

I have actually sent you the pictures.

 

ondra.

 

 

"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message

news:wOWs6ARhJHA.1700@TK2MSFTNGHUB02.phx.gbl...<span style="color:blue">

> Hi,

>

> Thank you for your update.

>

> As far as I know, Host name will be translated to IP address on client

> before contacting KDC or Service server.

>

> 1. Please restart the server and use IP address to visit

> http://10.10.0.11.

> After that, run "klist tickets >>c:kerberos.log".

>

> 2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist

> tickets >>c:kerberos1.log".

>

> 3. Visit http/intranet.domain.local and run "klist tickets<span style="color:green"><span style="color:darkred">

>>>c:kerberos2.log" again.</span></span>

>

> Send log files to tfwst@microsoft.com or upload to skydrive for research.

>

> Please also try to collect the network Monitor capture files.

>

> Sincerely,

> Mervyn Zhang

> Microsoft Online Community Support

>

> ==================================================

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> </span>

Guest Mervyn Zhang [MSFT]

Guest Mervyn Zhang [MSFT]

Posted
Posted

Hi Ondra,

 

Thank you for your reply and information.

 

In my test machines, Windows XP did not use Kerberos when using IP address

to visit websites. The Vista has the same behave with your client, it

didn¡¯t use Kerberos when using IP address.

 

I have found a similar case about Kerberos not working with IP Address.

Below is summary of their conclusion:

 

"Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if

the target server name is one IP address. If it is, the function will

return true and System will deny to Kerberos in this situation with

SEC_E_TARGET_UNKNOWN.

 

The reason that IP address worked in Windows 2003/XP is that the old system

logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is

like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the

limitation.

 

However, in Vista, the KerbIsIpAddress function has been improved and all

ip address used in SPN will be filtered out and denied before Kerberos

Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is

by design.

 

In fact, for previous system, the description of Kerberos behavior when

using IP

Address has been provided as below (although it doesn't mention

"http/ipaddress"

pattern):

 

322979 Kerberos is not used when you connect to SMB shares by using IP

address

http://support.microsoft.com/default.aspx?...kb;EN-US;322979

"

 

From the article "Improving Web Proxy Client Authentication Performance on

ISA Server 2006"

http://technet.microsoft.com/en-us/library/bb984870.aspx

 

We can find:

"Although in the first scenario (see figure 1) we have a Windows Server

2003 Domain and the native support to use Kerberos, NTLM will still be

preferred authentication method for Internet Explorer 6 while browsing the

Internet through a Proxy."

 

Many application will control also control the authentication method.

 

There is also Group Policy for Kerberos.

 

Configure Kerberos policy

http://technet.microsoft.com/en-us/library/cc776647.aspx

 

Sincerely,

Mervyn Zhang

Microsoft Online Community Support

 

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Guest Ondrej Sevecek

Guest Ondrej Sevecek

Posted
Posted

eeeeeeeeeeexcelllllent!

 

thank you very much.

 

ondra.

 

 

"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message

news:z74v8sShJHA.1700@TK2MSFTNGHUB02.phx.gbl...<span style="color:blue">

> Hi Ondra,

>

> Thank you for your reply and information.

>

> In my test machines, Windows XP did not use Kerberos when using IP address

> to visit websites. The Vista has the same behave with your client, it

> didn¡¯t use Kerberos when using IP address.

>

> I have found a similar case about Kerberos not working with IP Address.

> Below is summary of their conclusion:

>

> "Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if

> the target server name is one IP address. If it is, the function will

> return true and System will deny to Kerberos in this situation with

> SEC_E_TARGET_UNKNOWN.

>

> The reason that IP address worked in Windows 2003/XP is that the old

> system

> logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is

> like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the

> limitation.

>

> However, in Vista, the KerbIsIpAddress function has been improved and all

> ip address used in SPN will be filtered out and denied before Kerberos

> Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is

> by design.

>

> In fact, for previous system, the description of Kerberos behavior when

> using IP

> Address has been provided as below (although it doesn't mention

> "http/ipaddress"

> pattern):

>

> 322979 Kerberos is not used when you connect to SMB shares by using IP

> address

> http://support.microsoft.com/default.aspx?...kb;EN-US;322979

> "

>

> From the article "Improving Web Proxy Client Authentication Performance on

> ISA Server 2006"

> http://technet.microsoft.com/en-us/library/bb984870.aspx

>

> We can find:

> "Although in the first scenario (see figure 1) we have a Windows Server

> 2003 Domain and the native support to use Kerberos, NTLM will still be

> preferred authentication method for Internet Explorer 6 while browsing the

> Internet through a Proxy."

>

> Many application will control also control the authentication method.

>

> There is also Group Policy for Kerberos.

>

> Configure Kerberos policy

> http://technet.microsoft.com/en-us/library/cc776647.aspx

>

> Sincerely,

> Mervyn Zhang

> Microsoft Online Community Support

>

> ==================================================

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> </span>

Guest Mervyn Zhang [MSFT]

Guest Mervyn Zhang [MSFT]

Posted
Posted

Hi ondra,

 

I am glad to hear that the information is useful. If you have any other

questions or concerns, please do not hesitate to contact us. It is always

our pleasure to be of assistance.

 

Have a nice day!

 

Sincerely,

Mervyn Zhang

Microsoft Online Community Support

 

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...