How to get issuing KDC host from ticket?

[jcuzzi]

Is there a way to retrieve the KDC host name that issued a ticket from the ticket response?

“Klist.exe get” provides this information, but I’m unsure of where it comes from, and don’t see any related properties in this library which would identify the server.

[SteveSyfuhs]

Nope. The ticket doesn't contain this information. The only reason klist knows it is because Windows knows which DC it sent the request to and caches that information next to the ticket.

---

From: jcuzzi @.> Sent: Tuesday, April 18, 2023 8:54:15 PM To: dotnet/Kerberos.NET @.> Cc: Subscribed @.***> Subject: [dotnet/Kerberos.NET] How to get issuing KDC host from ticket? (Issue #339)

Is there a way to retrieve the KDC host name that issued a ticket from the ticket response?

“Klist.exe get” provides this information, but I’m unsure of where it comes from, and don’t see any related properties in this library which would identify the server.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/Kerberos.NET/issues/339, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJHTYKCWNGCAZYWKGZTQGDXB5OWPANCNFSM6AAAAAAXDPF4TE. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[jcuzzi]

Thanks. So if I were to first query DNS for KDCs, I could loop through them and send a request to each one and associate the host with the response.

Is there a way to override the server which the request is sent to using LSA or SSPI? Or would this library be best?

[SteveSyfuhs]

What exactly are you trying to accomplish?

---

From: jcuzzi @.> Sent: Tuesday, April 18, 2023 9:20:15 PM To: dotnet/Kerberos.NET @.> Cc: Steve Syfuhs @.>; Comment @.> Subject: Re: [dotnet/Kerberos.NET] How to get issuing KDC host from ticket? (Issue #339)

Thanks. So if I were to first query DNS for KDCs, I could loop through them and send a request to each one and associate the host with the response.

Is there a way to override the server which the request is sent to using LSA or SSPI? Or would this library be best?

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/Kerberos.NET/issues/339#issuecomment-1514110251, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJHTYKACI4HEEU3HLLQGA3XB5RX7ANCNFSM6AAAAAAXDPF4TE. You are receiving this because you commented.Message ID: @.***>

[jcuzzi]

Trying to test if a specific KDC is the actual server that issues the ticket, to ensure the server is functioning correctly.

---

From: Steve Syfuhs @.> Sent: Wednesday, April 19, 2023 8:04 AM To: dotnet/Kerberos.NET @.> Cc: jcuzzi @.>; Author @.> Subject: Re: [dotnet/Kerberos.NET] How to get issuing KDC host from ticket? (Issue #339)

What exactly are you trying to accomplish?

---

From: jcuzzi @.> Sent: Tuesday, April 18, 2023 9:20:15 PM To: dotnet/Kerberos.NET @.> Cc: Steve Syfuhs @.>; Comment @.> Subject: Re: [dotnet/Kerberos.NET] How to get issuing KDC host from ticket? (Issue #339)

Thanks. So if I were to first query DNS for KDCs, I could loop through them and send a request to each one and associate the host with the response.

Is there a way to override the server which the request is sent to using LSA or SSPI? Or would this library be best?

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/Kerberos.NET/issues/339#issuecomment-1514110251, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJHTYKACI4HEEU3HLLQGA3XB5RX7ANCNFSM6AAAAAAXDPF4TE. You are receiving this because you commented.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/Kerberos.NET/issues/339#issuecomment-1514900075, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHIBZUTNW3TTIK4Z5EXNCJDXB75HRANCNFSM6AAAAAAXDPF4TE. You are receiving this because you authored the thread.Message ID: @.***>

[SteveSyfuhs]

I guess I'm still not following. All KDCs issue identical tickets, or at least should issue identical tickets. From the outside, the tickets are identical, so you'd need to get their key to decrypt them to see the contents. The only thing that can know where the ticket originated is the client. The only thing that can decrypt the ticket, nominally, is the service that the ticket is intended for. So, I'm not entirely understanding what you're trying to accomplish. Are you just wanting to make sure that a particular KDC is online?

If you want to specify a particular KDC for the client to communicate with you can use the KerberosClient.PinKdc(string realm, string kdc) method to pin all requests to a specific machine. Windows has some functions that let you pin DCs, but those are machine-wide.

[jcuzzi]

Yes, the purpose is to ensure that a particular KDC is online and responding to requests. Optimally, I would want to use the context of the currently logged in user to make the request.

[SteveSyfuhs]

Those are mutually exclusive requirements in Windows. At best you can specify which DC to communicate with at the machine level. You can pick arbitrary KDCs with KerberosClient, but you don't get to use the current user's Windows logon credentials to do so.

[jcuzzi]

Understood. Thank you for your expertise. I may end up parsing the output of klist, although it pains me to do so.