Skip to content
This repository has been archived by the owner on Nov 4, 2023. It is now read-only.

Cannot get ticket. #1

Open
maspling opened this issue Aug 18, 2012 · 4 comments
Open

Cannot get ticket. #1

maspling opened this issue Aug 18, 2012 · 4 comments

Comments

@maspling
Copy link

Hello!

I'm trying to use kerberos for authentication in an web project I'm working on. However I get
"Aug 18 22:02:54 auth krb5kdc1042: preauth (timestamp) verify failure: ASN.1 length doesn't match expected value"
when I try to get a ticket with your library.

The following is the code I used:
http://pastie.org/4546030

I'm pretty sure that it's something I'm supposed to do that I missed, since I'm new to kerberos. But I appreciate any help I can get.

Thanks!

//Yugge
@jmckaskill
Copy link
Owner

Well the code is fine. Albeit you don't need to specify the values of CredConfig.
It's doing something funny that krb5kdc doesn't like. All my testing so far has been against active directory.

The preauth timestamp is generated here:
https://github.com/jmckaskill/gokerb/blob/master/ticket.go#L116
https://github.com/jmckaskill/gokerb/blob/master/messages.go#L366
The RFC for it is here:
http://tools.ietf.org/html/rfc1510#section-5.4.1

The error is from here:
http://anonsvn.mit.edu/viewvc/krb5/trunk/src/kdc/kdc_preauth.c?revision=25830&view=markup
Line 994
and
http://anonsvn.mit.edu/viewvc/krb5/branches/krb5-1-10/src/lib/krb5/asn.1/asn1_decode.c?revision=25366&view=markup
Line 242

Gotcha well it seems kerberos has a more strict view of ASN.1 generalized time then the standard ASN.1:
From http://tools.ietf.org/html/rfc1510#section-5.2:
The timestamps used in Kerberos are encoded as GeneralizedTimes. An
encoding shall specify the UTC time zone (Z) and shall not include
any fractional portions of the seconds. It further shall not include
any separators. Example: The only valid format for UTC time 6
minutes, 27 seconds after 9 pm on 6 November 1985 is 19851106210627Z.

To fix this try the following in github.com/jmckaskill/asn1:
diff --git a/marshal.go b/marshal.go
index 594c932..19d5e49 100644
--- a/marshal.go
+++ b/marshal.go
@@ -318,7 +318,7 @@ func marshalTwoDigits(out *forkableWriter, v int) (err error) {
}

func marshalGeneralizedTime(out *forkableWriter, t time.Time) (err error) {

  •   s := t.UTC().Format("20060102150405.000Z0700")

  •   s := t.UTC().Format("20060102150405Z")
_, err = out.Write([]byte(s))
return
    }

I'll test it against active directory later. If it works I'll check it in.

@maspling
Copy link
Author

Alright!

It seems I'm now getting "ASN.1 structure error: explicitly tagged member didn't match" errors.

@BryceDFisher
Copy link

I'm getting the same error as Yugge above when attempting doing kerb.NewCredential(..) against an AD server.

It appears the tag is as follows:
Tag: <kerb.encryptedKdcReply Value>, {optional:false explicit: true application:true defaultValue: tag:0xv208000e58 stringType:0 timeType:0 set:false omitEmpty:false}

@sid6mathur
Copy link

Same here while authenticating with an MIT Kerberos v5 v1.13 server: ASN.1 structure error: explicitly tagged member didn't match

@GP4cK GP4cK mentioned this issue Jul 2, 2015
Open
jgcallero pushed a commit to jgcallero/gokerb that referenced this issue Sep 1, 2016
Merge pull request jmckaskill#1 from dhiltgen/aes
4d94619 
Add support for AES encryption
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmckaskill @maspling @BryceDFisher @sid6mathur