Besirevic, Nesha a écrit :
Hi,
Another joke from MS....
Scenario:
Two ADs (SBS 2003 - win2003 native mode and 2003 AD - win2000 native mode,
no trust btw, they are simply using sam IP addresses range)
Administrator account has same password on both ADs.
Without any additional authentication you can easily map Admin Share (C$
for example) from one AD DC to another being logged on as Administrator.
I thought we passed this kind of traps with KERBEROS!!!!
Can anybody confirm this!!!!
Thanks in advance
Nesha Besirevic
Technical Consultant\iScalaCRM
<http://www.epicor.com/> www.epicor.com
Tel.: +361 452-7689
Cell: +3630 996-3238
Fax: +361 452-7501
E-Mail: nbesirevic@epicor.com <mailto:nbesirevic@epicor.com>
<file:///C:/Documents%20and%20Settings/Nesha.Besirevic/Local%20Settings/Temp
/(EmptyReference!)>
This e-mail is for the use of the intended recipient(s) only. If you have
received this e-mail in error, please notify the sender immediately and then
delete it. If you are not the intended recipient, you must not use, disclose
or distribute this e-mail without the author's prior permission. We have
taken precautions to minimize the risk of transmitting software viruses, but
we advise you to carry out your own virus checks on any attachment to this
message. We cannot accept liability for any loss or damage caused by
software viruses.
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such
that just hitting reply is going to result in the message coming to the list,
not to the individual who sent the message. This was done to help reduce the
number of Out of Office messages posters received. So if you want to send a
reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
-----
This is by design. By default, Kerberos authentication is used only between machines in
the same AD or Domain and only if you connect to the server by its name, not its IP
address. If you try to connect to a share outside of your AD or if you try to connect a
share by using the server's IP address (even in the same domain) NTLM authentication is
used. I signaled that to Microsoft about 2 years ago and their only answer is: "this
is by design".
In fact this is related to SPNs (service principal name): if you would use
Kerberos authentication you should manually register SPNs for the services you
want to connect to (setspn utility).
The IP address issue is "documented" in KB 322979 and the issue you
report is obvious if you consider that SPNs are registered in the
Kerberos DB. The SPN of a service residing in the Kerberos DB of another
AD cannot be found since you have no trust between the two AD. If the
SPN of a service cannot be found, Kerberos will reports an error and
the authentication protocol falls back to NTLM. This can be easily
observed by monitoring the connection attempt with MS Network Monitor,
for example.
Hope it helps,
Bertrand LEGERET
OPEN SYSTEM
Expertise in IT Security
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such
that just hitting reply is going to result in the message coming to the list,
not to the individual who sent the message. This was done to help reduce the
number of Out of Office messages posters received. So if you want to send a
reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
-----
