kerberos TGS for an IP address

  • Thread starter Thread starter Ondrej Sevecek
  • Start date Start date
O

Ondrej Sevecek

Hello,

my tests show the following thing. I would like to hear please a
confirmation of the fact, or something that would explain, what I do
incorrectly or what to change.

Vista never uses kerberos for servers (at least http, smb/cifs) which name
is specified by an IP address, is that right?

in different words:

Vista (as against XP) never ASKS for TGS if the name of the server is
specified as an IP address, is that right?


By using the work ASKS I would like to stress the fact XP always asks for a
TGS, which may not be available because of an appropriate SPN is missing.
While Vista never asks for the TGS even if a correct SPN exists. I checked
this by using Wireshark. When using an IP address, there is no TGS request
comming from Vista while there IS one comming from XP.


I can reproduce the problem by taking the following steps:

the following serie of steps works correctly as expected:

a) have server SRV1.domain.local, IP address 10.10.0.11
b) create DNS A record intranet.domain.local, IP address 10.10.0.11
c) add site "intranet.domain.local" to the Local Intranet sites (IEESC
turned off)
d) purge Kerberos ticket cache
e) restart IE
e) try IE to http://intranet.domain.local (exactly this, not using the short
form)
f) only TGT received, but both TGT and TGS were requested as was seen in
wireshark - this is stil correct because no SPN was still created. So we are
going to create SPN and enable kerberos for the alias.
g) create SPN http/intranet.domain.local
h) purge Kerberos ticket cache
i) restart IE
j) try IE to http://intranet.domain.local (exactly this, not using the short
form)
k) both TGT and TGS were received successfully

the same procedure works the same way even for SMB/CIFS access (certainly,
the DisableStrictNameChecking must have been set up to 1)

but when I try the same procedure to access http://10.10.0.11 or
\\10.10.0.11 (Local Intranet
site addess, the caches purged out, SPN created etc.) the Vista client not
even asks for TGT - once again as observed by using Wireshark.

The client doesn't try Kerberos at all, it uses NTLM as the first method
without trying Kerberos first


many thanks for any hint.

ondra.
 
Hi,

Thank you for posting here.

According to your description, I understand that:

According to Wireshark, Vista doesn¡¯t use Kerberos when visiting resource
using IP address directly.

If I have misunderstood the problem, please don't hesitate to let me know.

As we know, DNS Server helps us to translate Host Name to IP address when
we visit any Network resource, including visiting KDC, services.

When you use SRV1.domain.local, your client has to query the DNS cache or
DNS server to find the IP address(10.10.0.11) and send Kerberos request to
KDC or service server.

It makes no difference whether you use IP or Host name. There may be
something wrong with Wireshark.

Please use the "klist" to verify if Kerberos was used. On client system,
click Start, type CMD, type "klist tickets", press Enter. Is there any HTTP
records?

You can also use the Microsoft Network Monitor 3.2 to analyze traffics.
http://www.microsoft.com/downloads/details.aspx?familyid=f4db40af-1e08-4a21-
a26b-ec2f4dc4190d&displaylang=en

Install Microsoft Network Monitor 3.2, run it on server and clients to
monitor the traffic.

If necessary, use the capture filter to monitor only authentication
traffic. If anything unclear, you send the saved capture file and use
Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the files
and then give me the download address.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I have used klist and also kerbtray (probably not supported but working :-))
to trace the problem and still, Vista seems to not use the kerberos for IP
addresses.

many thanks for your help.

o.
 
Hi,

Thank you for your update.

As far as I know, Host name will be translated to IP address on client
before contacting KDC or Service server.

1. Please restart the server and use IP address to visit http://10.10.0.11.
After that, run "klist tickets >>c:\kerberos.log".

2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
tickets >>c:\kerberos1.log".

3. Visit http/intranet.domain.local and run "klist tickets
Send log files to (e-mail address removed) or upload to skydrive for research.

Please also try to collect the network Monitor capture files.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
look, this is unnecessary, it actually not even askes for TGT.

so the only thing I would like to know:
Vista (the same way as XP) should use kerberos even for IP addresses, right?


if it is so, I will investigate into the things myself. What I need is just
the confirmation that the things should really work the same way as with XP.
Because according to my long-taking tests, it doesn't use kerberos for IP
addresses and it seemed to me as "by design" feature change.


ondra.
 
I have actually sent you the pictures.

ondra.


Mervyn Zhang said:
Hi,

Thank you for your update.

As far as I know, Host name will be translated to IP address on client
before contacting KDC or Service server.

1. Please restart the server and use IP address to visit
http://10.10.0.11.
After that, run "klist tickets >>c:\kerberos.log".

2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
tickets >>c:\kerberos1.log".

3. Visit http/intranet.domain.local and run "klist tickets
Send log files to (e-mail address removed) or upload to skydrive for research.

Please also try to collect the network Monitor capture files.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
Click to expand...
 
Hi Ondra,

Thank you for your reply and information.

In my test machines, Windows XP did not use Kerberos when using IP address
to visit websites. The Vista has the same behave with your client, it
didn¡¯t use Kerberos when using IP address.

I have found a similar case about Kerberos not working with IP Address.
Below is summary of their conclusion:

"Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if
the target server name is one IP address. If it is, the function will
return true and System will deny to Kerberos in this situation with
SEC_E_TARGET_UNKNOWN.

The reason that IP address worked in Windows 2003/XP is that the old system
logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the
limitation.

However, in Vista, the KerbIsIpAddress function has been improved and all
ip address used in SPN will be filtered out and denied before Kerberos
Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is
by design.

In fact, for previous system, the description of Kerberos behavior when
using IP
Address has been provided as below (although it doesn't mention
"http/ipaddress"
pattern):

322979 Kerberos is not used when you connect to SMB shares by using IP
address
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322979
"

From the article "Improving Web Proxy Client Authentication Performance on
ISA Server 2006"
http://technet.microsoft.com/en-us/library/bb984870.aspx

We can find:
"Although in the first scenario (see figure 1) we have a Windows Server
2003 Domain and the native support to use Kerberos, NTLM will still be
preferred authentication method for Internet Explorer 6 while browsing the
Internet through a Proxy."

Many application will control also control the authentication method.

There is also Group Policy for Kerberos.

Configure Kerberos policy
http://technet.microsoft.com/en-us/library/cc776647.aspx

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi ondra,

I am glad to hear that the information is useful. If you have any other
questions or concerns, please do not hesitate to contact us. It is always
our pleasure to be of assistance.

Have a nice day!

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top