Mike Friedman wrote: > I've been testing some Kerberos authentication code against both my MIT K5 > KDC and a Windows Active Directory KDC. In both cases, I'm using > pre-authentication. However, when I enter an incorrect password, the MIT > KDC returns 31 (decrypt integrity check failure), whereas the AD KDC > returns 24 (preauth failure). I'm just wondering what might account for > the different responses. > > In fact, this behavior doesn't cause me any problems, since I treat both > as meaning that an incorrect password was entered. > > Is this just a difference in the way the two KDC implementations define > the meaning of the return codes? Or might there be a difference in the > way the principals are defined in the two KDCs?
It is a difference is the way the RFC 4120 was interpreted. Microsoft read section 3.1.3 to indicate that only KDC_ERR_PREAUTH_FAILED may be returned if the pre-authentication check fails. MIT has historically provided the more specific error when the failure condition when the known key fails to decrypt the request. Jeffrey Altman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
