3

I'm using Kerberos on Windows (non-Windows software generates the token) and have been trying to debug a problem. In a network trace, I can see KRB5KRB_ERR_GENERIC is being returned by the IIS server. The e-data field is supposed to contain a description of the problem, but it just contains these bytes:

30 0d a1 03 02 01 01 a2 06 04 04 33 01 00 c0

which are mostly non-printable. Can this be deciphered or is it implementation-specific?

snibbets
  • 131
  • 1
  • 7

2 Answers2

1

I can only speak for Windows. In the e-data you normally will see the extended status code as returned by kerberos.

The trace I am looking at right now has a response from the KDC where I can seen a block like 72 02 00 C0 which converted is c0000272. And using a tool like err.exe from http://www.microsoft.com/en-us/download/details.aspx?id=985 to translate these windows error codes gives 

# for hex 0xc0000272 / decimal -1073741198
  STATUS_NO_MATCH                                                ntstatus.h
# There was no match for the specified key in the index.
# as an HRESULT: Severity: FAILURE (1), FACILITY_NULL (0x0), Code 0x272
# for hex 0x272 / decimal 626
  ERROR_NO_MORE_MATCHES                                          winerror.h
# There are no more matches for the current index
# enumeration.
# 2 matches found for "c0000272"

In this case its because the SPN was not in the list msds-allowedtodelegateto and therefore KDC returns this error to see its not in the list.

I am not sure if your e-data is complete. But there is what looks like a windows error code 33 01 00 c0.

Does this below bit apply to you or make sense?

# for hex 0xc0001033 / decimal -1073737677
  MSG_CI_IISADMIN_NOT_AVAILABLE                                  querymsg.h
# The IISADMIN service is not available, so virtual roots
# cannot be indexed.%1
# 1 matches found for "c0001033"
maweeras
  • 2,674
  • 2
  • 16
  • 23
  • This doesn't appear right - the error codes returned by ERR.EXE are for libraries that aren't related to the Kerberos error. The E-DATA field in fact doesn't look like a standard Windows error at all - my guess would be that MSFT can translate it on their side, or perhaps there is a tool to translate it, but the above logic doesn't make sense to me – Coruscate5 Feb 21 '17 at 20:19
  • Additionally, enabling Kerberos logging on the local machine doesn't appear to log these errors (though it logs OTHER errors, such as Preauth required). I'm pretty sure I know what my own problem here is (the sAMAccountName for the SPN doesn't match the CN, which means MSFT is probably doing a lookup based on CN for the SPN), but if someone really wants to get to the bottom of it you'd likely need to open a MSFT ticket – Coruscate5 Feb 21 '17 at 20:36
1

Try enabling Kerberos logging via the registry first (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, create new DWORD of LogLevel with value of 0x1) - see if your KRB5KRB_ERR_GENERIC error shows up in the System log in eventvwr.exe

The e-data / e-text fields appear to be implementation-specific - your best bet of getting a translation is from the horse's mouth in the Event Logs.

Coruscate5
  • 53
  • 9