Databases
StackOverflow2013
Postsdbo
POKerberos password change protocol
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POKerberos password change protocol
    primarykey
    data
    text
    <p>I'm trying to perform a number of password operations on a user within ActiveDirectory from a C++/CLI library (which will in turn be called by another service) using the Kerberos password protocol as in <a href="http://tools.ietf.org/html/rfc3244" rel="nofollow">RFC 3244</a>.</p> <p>I mocked up a sequence in C# (being my preferred language) using LogonUser to impersonate an admin then use the DirectoryServices.AccountManagement namespace to call <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746344%28v=vs.85%29.aspx" rel="nofollow">SetPassword</a> on the user's entry. SetPassword uses three approaches to attempt the change LDAPS, Kerberos and RPC. If I look at the Wireshark trace I can see the Kerberos handshake when the admin is impersonated, then LDAP attempt (which fails due to lack of SSL) then the kerberos password exchange.</p> <p>Trying to replicate this is C++ LogonUser does not initiate a Kerberos exchange so when SetPassword is called the method falls through to RPC (which succeeds but does not meet our requirement of using Kerberos).</p> <p>Is there an way I can force the use of Kerberos?</p> <p>Is there a better solution to interact with the Kerberos password protocol from .net rather than relying on SetPassword?</p> <p>Minimal code example:</p> <p>C#</p> <pre><code>SafeTokenHandle handle; LogonUser("serviceAccount", "Test", "aPassw0rd", 2, 0, out handle); WindowsIdentity.Impersonate(handle.DangerousGetHandle()); DirectoryEntry usr = new DirectoryEntry(); usr.Path = "LDAP://"+"dctest.test.com/"+"CN=testuser,CN=Users,DC=test,DC=com"; usr.AuthenticationType = AuthenticationTypes.Sealing | AuthenticationTypes.Secure; object ret = usr.Invoke("SetPassword", "aPassw0rd"); usr.CommitChanges(); usr.Close(); Console.WriteLine("Completed"); </code></pre> <p>This approach successfully impersonates the service account then performs the setpassword using KPASSWD over 464.</p> <p>C++/CLI</p> <pre><code>HANDLE _handle; LogonUser(L"serviceAccount",L"Test",L"aPassw0rd",LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT,&amp;_handle) ImpersonateLoggedOnUser(_handle); DirectoryEntry^ usr = gcnew DirectoryEntry(); usr-&gt;Path = "LDAP://"+"dctest.test.com/"+"CN=testuser,CN=Users,DC=test,DC=com"; usr-&gt;AuthenticationType = AuthenticationTypes::Sealing | AuthenticationTypes::Secure; Object^ ret = usr-&gt;Invoke("SetPassword", "aPassw0rd"); usr-&gt;CommitChanges(); usr-&gt;Close(); Console::WriteLine("Completed"); </code></pre> <p>This approach impersonates the admin account, then when set password is calls does a kerberos exchange (over 88 so i'm guessing this is auth) but then falls back to using RPC.</p> <p>If I take the C# code and call it from a C++/CLI wrapper the behaviour changes to that displayed as when the code was in C++.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USAndy March
    1. USAndy March
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. COTo clarify, .NET does use Kerberos (so it's a successful use case) but C++ does not?
      singulars
      1. POKerberos password change protocol
      1. USSean Hall
    2. COYes that's correct, i've added a minimal code sample above.
      singulars
      1. POKerberos password change protocol
      1. USAndy March
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload