Skip Menu |
 

Subject: KERB_TICKET_CACHE_INFO_EX
Download (untitled) / with headers
text/plain 1.1KiB
On windows XP and later, we have a new API called QueryTicketCacheEx,
this exposes the client realm correctly. Does this meet your need?

typedef struct _KERB_TICKET_CACHE_INFO_EX {
UNICODE_STRING ClientName;
UNICODE_STRING ClientRealm;
UNICODE_STRING ServerName;
UNICODE_STRING ServerRealm;
LARGE_INTEGER StartTime;
LARGE_INTEGER EndTime;
LARGE_INTEGER RenewTime;
LONG EncryptionType;
ULONG TicketFlags;
} KERB_TICKET_CACHE_INFO_EX, *PKERB_TICKET_CACHE_INFO_EX;

PKERB_QUERY_TKT_CACHE_REQUEST and PKERB_QUERY_TKT_CACHE_EX_RESPONSE

typedef struct _KERB_QUERY_TKT_CACHE_EX_RESPONSE {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG CountOfTickets;
KERB_TICKET_CACHE_INFO_EX Tickets[ANYSIZE_ARRAY];
} KERB_QUERY_TKT_CACHE_EX_RESPONSE, *PKERB_QUERY_TKT_CACHE_EX_RESPONSE;

typedef struct _KERB_TICKET_CACHE_INFO_EX {
UNICODE_STRING ClientName;
UNICODE_STRING ClientRealm;
UNICODE_STRING ServerName;
UNICODE_STRING ServerRealm;
LARGE_INTEGER StartTime;
LARGE_INTEGER EndTime;
LARGE_INTEGER RenewTime;
LONG EncryptionType;
ULONG TicketFlags;
} KERB_TICKET_CACHE_INFO_EX, *PKERB_TICKET_CACHE_INFO_EX;
Download (untitled) / with headers
text/plain 2.3KiB
As an update, here is what we have worked out.
As stated in the previous e-mail it is not possible for
KERB_TICKET_CACHE_INFO_EX to be
used to obtain the ClientRealm information for tickets on a reliable
basis unless we know that the
tickets will in fact be in the cache. Larry has a private fix which he
is willing to make available (after
successful testing via PSS). This fix is an extension to the
KerbRetrieveEncodedTicketMessage
which will force the storage of the retrieved ticket in the cache. With
this fix it will be possible to
implement the necessary functionality.

Therefore, what has been implemented in the krb5_ccache MSLSA code is
the following:

* A test to determine if KERB_TICKET_CACHE_INFO_EX is available
* A test to determine if KERB_RETRIEVE_TICKET_CACHE_TICKET is
implemented
* Code which depending on the availability of both of the above
which when attempting to retrieve a ticket will search the entire cache
for that ticket and if found utilize the ClientRealm information
provided by the KERB_TICKET_CACHE_INFO_EX entry for that ticket instead
of the DomainName found in the KERB_EXTERNAL_TICKET

This is going to significantly increase the amount of work needed to
properly export a ticket from the LSA cache to an MIT Kerberos
application. However, it will do so correctly.

Larry and David are going to set up a test machine for me to use to make
sure this private fix works and the test build of KRB5_32.DLL works with
it. Assuming it does I am going to fold this code into the KFW 2.6.4
release. The existing behavior of the krb5_ccache MSLSA interface will
be preserved on Windows 2000; Windows XP will use KERB_TICKET_CACHE_INFO
when enumerating tickets; and when the fix is in place retrieve tickets
will obtain the correct ClientRealm information as well.

Doug, assuming this all works it should close the book on the transitive
cross-realm tickets being displayed with the wrong client principal
realm problem you reported months ago. More importantly the ability to
store tickets in the cache with specific enctypes and/or ticket flag
combinations will signficantly improve the performance of MIT Kerberos
applications when using the MSLSA cache as the default cache
for the system. Therefore, when the PSS is available I will encourage
organizations which deploy KFW to obtain it and deploy the fix along
with KFW.

Jeffrey Altman
This functionality was added as of kfw 2.6.4. beta 2