kerberos TGS for an IP address

Posted: 01-30-2009, 09:19 AM
Hello,

my tests show the following thing. I would like to hear please a
confirmation of the fact, or something that would explain, what I do
incorrectly or what to change.

Vista never uses kerberos for servers (at least http, smb/cifs) which name
is specified by an IP address, is that right?

in different words:

Vista (as against XP) never ASKS for TGS if the name of the server is
specified as an IP address, is that right?


By using the work ASKS I would like to stress the fact XP always asks for a
TGS, which may not be available because of an appropriate SPN is missing.
While Vista never asks for the TGS even if a correct SPN exists. I checked
this by using Wireshark. When using an IP address, there is no TGS request
comming from Vista while there IS one comming from XP.


I can reproduce the problem by taking the following steps:

the following serie of steps works correctly as expected:

a) have server SRV1.domain.local, IP address 10.10.0.11
b) create DNS A record intranet.domain.local, IP address 10.10.0.11
c) add site "intranet.domain.local" to the Local Intranet sites (IEESC
turned off)
d) purge Kerberos ticket cache
e) restart IE
e) try IE to http://intranet.domain.local (exactly this, not using the short
form)
f) only TGT received, but both TGT and TGS were requested as was seen in
wireshark - this is stil correct because no SPN was still created. So we are
going to create SPN and enable kerberos for the alias.
g) create SPN http/intranet.domain.local
h) purge Kerberos ticket cache
i) restart IE
j) try IE to http://intranet.domain.local (exactly this, not using the short
form)
k) both TGT and TGS were received successfully

the same procedure works the same way even for SMB/CIFS access (certainly,
the DisableStrictNameChecking must have been set up to 1)

but when I try the same procedure to access http://10.10.0.11 or
\\10.10.0.11 (Local Intranet
site addess, the caches purged out, SPN created etc.) the Vista client not
even asks for TGT - once again as observed by using Wireshark.

The client doesn't try Kerberos at all, it uses NTLM as the first method
without trying Kerberos first


many thanks for any hint.

ondra.

kerberos TGS for an IP address


Responses to "kerberos TGS for an IP address"

Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
RE: kerberos TGS for an IP address
Posted: 02-02-2009, 07:23 AM
Hi,

Thank you for posting here.

According to your description, I understand that:

According to Wireshark, Vista doesn¡¯t use Kerberos when visiting resource
using IP address directly.

If I have misunderstood the problem, please don't hesitate to let me know.

As we know, DNS Server helps us to translate Host Name to IP address when
we visit any Network resource, including visiting KDC, services.

When you use SRV1.domain.local, your client has to query the DNS cache or
DNS server to find the IP address(10.10.0.11) and send Kerberos request to
KDC or service server.

It makes no difference whether you use IP or Host name. There may be
something wrong with Wireshark.

Please use the "klist" to verify if Kerberos was used. On client system,
click Start, type CMD, type "klist tickets", press Enter. Is there any HTTP
records?

You can also use the Microsoft Network Monitor 3.2 to analyze traffics.
http://www.microsoft.com/downloads/d...0af-1e08-4a21-
a26b-ec2f4dc4190d&displaylang=en

Install Microsoft Network Monitor 3.2, run it on server and clients to
monitor the traffic.

If necessary, use the capture filter to monitor only authentication
traffic. If anything unclear, you send the saved capture file and use
Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the files
and then give me the download address.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Ondrej Sevecek
Guest
Posts: n/a
 
Re: kerberos TGS for an IP address
Posted: 02-02-2009, 08:05 AM
I have used klist and also kerbtray (probably not supported but working :-))
to trace the problem and still, Vista seems to not use the kerberos for IP
addresses.

many thanks for your help.

o.


"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:%23Bfc1cQhJHA.820@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for posting here.
>
> According to your description, I understand that:
>
> According to Wireshark, Vista doesn¡¯t use Kerberos when visiting resource
> using IP address directly.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> As we know, DNS Server helps us to translate Host Name to IP address when
> we visit any Network resource, including visiting KDC, services.
>
> When you use SRV1.domain.local, your client has to query the DNS cache or
> DNS server to find the IP address(10.10.0.11) and send Kerberos request to
> KDC or service server.
>
> It makes no difference whether you use IP or Host name. There may be
> something wrong with Wireshark.
>
> Please use the "klist" to verify if Kerberos was used. On client system,
> click Start, type CMD, type "klist tickets", press Enter. Is there any
> HTTP
> records?
>
> You can also use the Microsoft Network Monitor 3.2 to analyze traffics.
> http://www.microsoft.com/downloads/d...0af-1e08-4a21-
> a26b-ec2f4dc4190d&displaylang=en
>
> Install Microsoft Network Monitor 3.2, run it on server and clients to
> monitor the traffic.
>
> If necessary, use the capture filter to monitor only authentication
> traffic. If anything unclear, you send the saved capture file and use
> Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the files
> and then give me the download address.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
Re: kerberos TGS for an IP address
Posted: 02-02-2009, 08:28 AM

Hi,

Thank you for your update.

As far as I know, Host name will be translated to IP address on client
before contacting KDC or Service server.

1. Please restart the server and use IP address to visit http://10.10.0.11.
After that, run "klist tickets >>c:\kerberos.log".

2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
tickets >>c:\kerberos1.log".

3. Visit http/intranet.domain.local and run "klist tickets
>>c:\kerberos2.log" again.
Send log files to tfwst@microsoft.com or upload to skydrive for research.

Please also try to collect the network Monitor capture files.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Ondrej Sevecek
Guest
Posts: n/a
 
Re: kerberos TGS for an IP address
Posted: 02-02-2009, 09:46 AM
look, this is unnecessary, it actually not even askes for TGT.

so the only thing I would like to know:
Vista (the same way as XP) should use kerberos even for IP addresses, right?


if it is so, I will investigate into the things myself. What I need is just
the confirmation that the things should really work the same way as with XP.
Because according to my long-taking tests, it doesn't use kerberos for IP
addresses and it seemed to me as "by design" feature change.


ondra.



"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:wOWs6ARhJHA.1700@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for your update.
>
> As far as I know, Host name will be translated to IP address on client
> before contacting KDC or Service server.
>
> 1. Please restart the server and use IP address to visit
> http://10.10.0.11.
> After that, run "klist tickets >>c:\kerberos.log".
>
> 2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
> tickets >>c:\kerberos1.log".
>
> 3. Visit http/intranet.domain.local and run "klist tickets
>>>c:\kerberos2.log" again.
>
> Send log files to tfwst@microsoft.com or upload to skydrive for research.
>
> Please also try to collect the network Monitor capture files.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Ondrej Sevecek
Guest
Posts: n/a
 
Re: kerberos TGS for an IP address
Posted: 02-02-2009, 11:11 AM
I have actually sent you the pictures.

ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:wOWs6ARhJHA.1700@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for your update.
>
> As far as I know, Host name will be translated to IP address on client
> before contacting KDC or Service server.
>
> 1. Please restart the server and use IP address to visit
> http://10.10.0.11.
> After that, run "klist tickets >>c:\kerberos.log".
>
> 2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
> tickets >>c:\kerberos1.log".
>
> 3. Visit http/intranet.domain.local and run "klist tickets
>>>c:\kerberos2.log" again.
>
> Send log files to tfwst@microsoft.com or upload to skydrive for research.
>
> Please also try to collect the network Monitor capture files.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
Re: kerberos TGS for an IP address
Posted: 02-02-2009, 11:41 AM
Hi Ondra,

Thank you for your reply and information.

In my test machines, Windows XP did not use Kerberos when using IP address
to visit websites. The Vista has the same behave with your client, it
didn¡¯t use Kerberos when using IP address.

I have found a similar case about Kerberos not working with IP Address.
Below is summary of their conclusion:

"Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if
the target server name is one IP address. If it is, the function will
return true and System will deny to Kerberos in this situation with
SEC_E_TARGET_UNKNOWN.

The reason that IP address worked in Windows 2003/XP is that the old system
logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the
limitation.

However, in Vista, the KerbIsIpAddress function has been improved and all
ip address used in SPN will be filtered out and denied before Kerberos
Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is
by design.

In fact, for previous system, the description of Kerberos behavior when
using IP
Address has been provided as below (although it doesn't mention
"http/ipaddress"
pattern):

322979 Kerberos is not used when you connect to SMB shares by using IP
address
http://support.microsoft.com/default...b;EN-US;322979
"

From the article "Improving Web Proxy Client Authentication Performance on
ISA Server 2006"
http://technet.microsoft.com/en-us/l.../bb984870.aspx

We can find:
"Although in the first scenario (see figure 1) we have a Windows Server
2003 Domain and the native support to use Kerberos, NTLM will still be
preferred authentication method for Internet Explorer 6 while browsing the
Internet through a Proxy."

Many application will control also control the authentication method.

There is also Group Policy for Kerberos.

Configure Kerberos policy
http://technet.microsoft.com/en-us/l.../cc776647.aspx

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Ondrej Sevecek
Guest
Posts: n/a
 
Re: kerberos TGS for an IP address
Posted: 02-02-2009, 11:53 AM
eeeeeeeeeeexcelllllent!

thank you very much.

ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:z74v8sShJHA.1700@TK2MSFTNGHUB02.phx.gbl...
> Hi Ondra,
>
> Thank you for your reply and information.
>
> In my test machines, Windows XP did not use Kerberos when using IP address
> to visit websites. The Vista has the same behave with your client, it
> didn¡¯t use Kerberos when using IP address.
>
> I have found a similar case about Kerberos not working with IP Address.
> Below is summary of their conclusion:
>
> "Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if
> the target server name is one IP address. If it is, the function will
> return true and System will deny to Kerberos in this situation with
> SEC_E_TARGET_UNKNOWN.
>
> The reason that IP address worked in Windows 2003/XP is that the old
> system
> logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
> like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the
> limitation.
>
> However, in Vista, the KerbIsIpAddress function has been improved and all
> ip address used in SPN will be filtered out and denied before Kerberos
> Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is
> by design.
>
> In fact, for previous system, the description of Kerberos behavior when
> using IP
> Address has been provided as below (although it doesn't mention
> "http/ipaddress"
> pattern):
>
> 322979 Kerberos is not used when you connect to SMB shares by using IP
> address
> http://support.microsoft.com/default...b;EN-US;322979
> "
>
> From the article "Improving Web Proxy Client Authentication Performance on
> ISA Server 2006"
> http://technet.microsoft.com/en-us/l.../bb984870.aspx
>
> We can find:
> "Although in the first scenario (see figure 1) we have a Windows Server
> 2003 Domain and the native support to use Kerberos, NTLM will still be
> preferred authentication method for Internet Explorer 6 while browsing the
> Internet through a Proxy."
>
> Many application will control also control the authentication method.
>
> There is also Group Policy for Kerberos.
>
> Configure Kerberos policy
> http://technet.microsoft.com/en-us/l.../cc776647.aspx
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
Re: kerberos TGS for an IP address
Posted: 02-03-2009, 03:11 AM
Hi ondra,

I am glad to hear that the information is useful. If you have any other
questions or concerns, please do not hesitate to contact us. It is always
our pleasure to be of assistance.

Have a nice day!

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
kerberos logon to IP address Ondrej Sevecek Windows Vista Security 5 01-24-2009 10:14 AM
Kerberos Prompt extremis@officeformac.com Mac Windows Messenger 2 05-05-2008 04:28 PM
Kerberos errors Bfreeman Windows XP Security & Administration 0 05-11-2004 05:07 PM
Kerberos Bobby McMillan [MSFT] Windows XP Security & Administration 0 12-03-2003 08:16 AM
Kerberos Error Alberto Windows XP Security & Administration 0 11-10-2003 07:05 PM