Comments on: Event Logging in AD Integration Scenarios http://blog.scottlowe.org/2006/10/23/event-logging-in-ad-integration-scenarios/ The weblog of an IT pro specializing in virtualization, storage, and servers Thu, 20 Nov 2008 13:59:12 +0000 http://wordpress.org/?v=2.6 By: slowe http://blog.scottlowe.org/2006/10/23/event-logging-in-ad-integration-scenarios/#comment-5864 slowe Fri, 08 Dec 2006 21:21:04 +0000 http://blog.scottlowe.org/?p=348#comment-5864 David G, Good information! Yet another way for readers to be able to determine how users are logging in and authenticating on the network. Thanks! Scott David G,

Good information! Yet another way for readers to be able to determine how users are logging in and authenticating on the network. Thanks!

Scott

]]> By: David G http://blog.scottlowe.org/2006/10/23/event-logging-in-ad-integration-scenarios/#comment-5840 David G Fri, 08 Dec 2006 14:55:12 +0000 http://blog.scottlowe.org/?p=348#comment-5840 Scott, Something you may not be aware of that happens with Linux clients - if you enable failure auditing for Account Logon Events, you will get an Event ID 675 Failure Audit preceeding the Event 672. The text of the event will look like this: Pre-authentication failed: User Name: adg User ID: EXAMPLE\adg Service Name: krbtgt/EXAMPLE.COM Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 192.168.192.129 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. These errors are logged because the MS Kerberos implementation expects the initial TGT request to contain a 'preauthentication' blob which is a time stamp encrypted using the user's password hash as an encryption key (PA_ENC_TIMESTAMP in Kerberos-speak) - this preauthentication is used to prevent replay attacks. The Linux Kerberos libraries dont send this blob in their initial TGT request. When it receives the TGT without the preauthentication blob, the AD server: 1. Rejects the initial request 2. In the reject response, indicates that Preauthentication is required and hints with a list of acceptable preauthtcation types. 2. Logs the 675 error in the Event log. On receiving the rejct response, the Linux Kerberos libraries resend the TGT request but this time include the preauthentication blob in the TGT request. You can disable preauthentication on a per-user basis - in AD Users & Computers, tick the 'Do not require Kerberos preauthentication' box in the account properties tab, but it does make the account easier to hack. The ideal solution would be to patch the Kerberos libraries to offer up a preauthentication blob at the first TGT request but I've yet to see any implementations yet - I suspect because this sort of patch could break interop with other Kerberos implementations - you need to declare what type of crypto (RC4, DES-CBC) you are going to use at the outset rather than negotiate between the client & server what type of crypto is acceptable to both. David G Scott,

Something you may not be aware of that happens with Linux clients - if you enable failure auditing for Account Logon Events, you will get an Event ID 675 Failure Audit preceeding the Event 672. The text of the event will look like this:

Pre-authentication failed:
User Name: adg
User ID: EXAMPLE\adg
Service Name: krbtgt/EXAMPLE.COM
Pre-Authentication Type: 0×0
Failure Code: 0×19
Client Address: 192.168.192.129

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

These errors are logged because the MS Kerberos implementation expects the initial TGT request to contain a ‘preauthentication’ blob which is a time stamp encrypted using the user’s password hash as an encryption key (PA_ENC_TIMESTAMP in Kerberos-speak) - this preauthentication is used to prevent replay attacks. The Linux Kerberos libraries dont send this blob in their initial TGT request. When it receives the TGT without the preauthentication blob, the AD server:
1. Rejects the initial request
2. In the reject response, indicates that Preauthentication is required and hints with a list of acceptable preauthtcation types.
2. Logs the 675 error in the Event log.
On receiving the rejct response, the Linux Kerberos libraries resend the TGT request but this time include the preauthentication blob in the TGT request.

You can disable preauthentication on a per-user basis - in AD Users & Computers, tick the ‘Do not require Kerberos preauthentication’ box in the account properties tab, but it does make the account easier to hack.

The ideal solution would be to patch the Kerberos libraries to offer up a preauthentication blob at the first TGT request but I’ve yet to see any implementations yet - I suspect because this sort of patch could break interop with other Kerberos implementations - you need to declare what type of crypto (RC4, DES-CBC) you are going to use at the outset rather than negotiate between the client & server what type of crypto is acceptable to both.

David G

]]>