Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

greener85 — Mon, 15 Feb 2010 17:26:39 GMT

Hey Oleg,

First thanks for the updated URL for the Cisco defect. We have gotten this updated on the blog.

To answer your question, even if you do not send pre-authentication data in the AS-REQ, the KDC could still respond back with KRB5KDC_ERR_RESPONSE_TOO_BIG if the users Kerberos TGT is going to be larger than one packet size. If the ASA does not recognize that it should resend the entire authentication again (AS) then I would suspect that the Cisco appliance will again fail to authenticate the user.

The users Kerberos ticket size is going to be dictated by the amount of groups the user belongs to since this information is included in the ticket as the Partial Attribute Certificate (PAC).

Since you actually work with Cisco, I would be glad to speak with you further on this. Please send an e-mail via the page so that we can discuss further if you need more information.

http://blogs.technet.com/askds/contact.aspx

Rob Greene

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

otipisov — Sun, 14 Feb 2010 12:07:51 GMT

Hi Rob,

Just to understand this better: both AS-REQ and AS-REP contain three "PA-ENC-TIMESTAMP" fields with the total length of 212 bytes in case pre-authentication is enabled, right? So, if pre-authentication is disabled, the AS-REP becomes smaller by 212 bytes and can fit within the 1465 bytes limit. If the AS-REP is still larger than 1465 bytes the KDC will again request TCP and the entire process will fail.

So the real issue is the CSCsi32224 -- "ASA does not switch to TCP upon receiving Kerberos error code 52". The new defect (CSCtd92673 -- "Kerberos authentication fails with pre-auth enabled") was actually opened to track customer cases when the MaxDatagramReplySize workaround doesn't work for some strange reason.

The url is: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd92673

You need to login to access this page.

Thank you for very useful info,

Oleg

Cisco TAC :)

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

greener85 — Tue, 09 Feb 2010 16:34:02 GMT

Hey Otipisov,

Disabling Pre-Authentication does not "change" the Kerberos protocol. It only takes away the requirement to have Pre-Authentication data the intial AS-REQ that the client sends.

It will not make the overall Kerberos ticketing smaller, only the AS-REQ and AS-REP packets would be smaller in this scenario.

Keep in mind that really the issue is that the Cisco device is ignoring / not processing the error back from the domain controller of: KRB5KDC_ERR_RESPONSE_TOO_BIG

So reality is if the users Kerberos ticket is large enough you could still have the same issue because really that error code means request as TCP instead of UDP since the ticket is larger than one packet size.

The workaround basically just changes the packet size allowed before the KDC will respond with that KDC Error code. Again keep in mind that this is really not an error, the Kerberos client on the ASA should be smart enough to respond to the error with creating a new Kerberos ticket request using TCP.

Also, thanks for the update on the Cisco defect number. By chance do you have the URL for that? Did a search and could not get a URL for this. If we can get the URL we would be glad to get the blog updated with the number. Unfortunately Cisco will not let you see this information unless you have some kind of contract with them, and the previous bug URL was provided by the Cisco Engineer that I talked with.

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

otipisov — Sat, 06 Feb 2010 10:30:34 GMT

Hope this thread is still alive :)

Very useful info. There is one thing, however, that I don't understand at all. It is well known that disabling pre-authentication always solves the problem with KDC reply size. (I'm working with a customer right now who had exactly this problem with Cisco ASA). So, from technical point of view, does disabling pre-authentication changes Kerberos protocol somehow? Does it make the KDC reply smaller??? Or, are MS registry settings ignored, so that the UDP reply is somehow fragmented into smaller chunks???

BTW, the defect CSCsi32224 "ASA does not switch to TCP upon receiving Kerberos error code 52" is not yet fixed and the new defect CSCtd92673 "Kerberos authentication fails with pre-auth enabled" is opened for this issue.

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

greener85 — Mon, 22 Jun 2009 17:45:14 GMT

Hey Mike,

Thanks for the feed back... Keep in mind that this Blog discusses the actual authentication to the VPN device not data flow after the VPN has been established.

However, what you stated as your fix of forcing the Kerberos client to use TCP is a valid fix for authentication problems to different services on your network once the VPN has been established...

This is more than likely because of a black hole router issue on the network, and causing Kerberos to always use TCP is a valid workaround. In fact as stated in the blog Vista/2008 by default use TCP instead of UDP because of all the issues we have seen out there with customer networks and UDP packet loss.

Rob Greene

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

GaryAndraza — Fri, 19 Jun 2009 02:20:29 GMT

Found the answer to my question via a link from the NTDebugging blog....

If you are intrested...

Analysis of a networking problem: The case of the mysterious SMB connection resets (or “How to not design a network protocol”)

http://www.nynaeve.net/?p=93

Gary

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

GaryAndraza — Thu, 18 Jun 2009 23:50:18 GMT

Ned,

I will surely give that a try. Thanks for the suggestion it is greatly apprieciated.

-Gary

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

NedPyle [MSFT] — Thu, 18 Jun 2009 22:11:45 GMT

That sounds more like pure networking and SMB there - youc an roll the dice and try our sister site here to see what they say:

http://blogs.technet.com/networking/contact.aspx

- Ned

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

GaryAndraza — Thu, 18 Jun 2009 21:47:53 GMT

Interesting info as I too have been looking at a frustrating intermittent network problem invovling a Cisco ASA 5510. I read this post with interest as I was looking to see if it was going to relate to my problem which is SMB conversations specifically SMB1 Trans2 requests getting most of the way communicated in the standard fashion then dying with a RST,ACK packet from the server seemingly out of nowhere resulting in a "The specified network name is not available." error.

My Server is Win2K8 and the problem clients are XP and 2k but not Vista. We use desktop redirection and it sucks having to explain disappearing icons to users. A larger description is here: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/83abfc8d-72b6-4d18-b097-cfc804a323e7

Gary

-----------

Gary Andraza

Systems Coordinator

Chan Centre | University of British Columbia

Gary.Andraza@ubc.ca

re: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

Mike Kline — Thu, 18 Jun 2009 20:42:31 GMT

Really good information Rob and Ned. We recently ran into this same issue where I am (federal agency). We were not using the Cisco VPN but another major VPN solution. Checkpoint in our case. I'm guessing there will be other comments from other VPN implementations too.

We did end up going with the 244474 solution on all our XP machines to force TCP and that has been the fix. We have had no issues with that fix and it has been on for about a month now.

...hey Dan you were right :)

Thanks

Mike