Cannot get ticket.

[maspling]

Hello!

I'm trying to use kerberos for authentication in an web project I'm working on. However I get "Aug 18 22:02:54 auth krb5kdc1042: preauth (timestamp) verify failure: ASN.1 length doesn't match expected value" when I try to get a ticket with your library.

The following is the code I used: http://pastie.org/4546030

I'm pretty sure that it's something I'm supposed to do that I missed, since I'm new to kerberos. But I appreciate any help I can get.

Thanks!

//Yugge

[jmckaskill]

Well the code is fine. Albeit you don't need to specify the values of CredConfig. It's doing something funny that krb5kdc doesn't like. All my testing so far has been against active directory.

The preauth timestamp is generated here: https://github.com/jmckaskill/gokerb/blob/master/ticket.go#L116 https://github.com/jmckaskill/gokerb/blob/master/messages.go#L366 The RFC for it is here: http://tools.ietf.org/html/rfc1510#section-5.4.1

The error is from here: http://anonsvn.mit.edu/viewvc/krb5/trunk/src/kdc/kdc_preauth.c?revision=25830&view=markup Line 994 and http://anonsvn.mit.edu/viewvc/krb5/branches/krb5-1-10/src/lib/krb5/asn.1/asn1_decode.c?revision=25366&view=markup Line 242

Gotcha well it seems kerberos has a more strict view of ASN.1 generalized time then the standard ASN.1: From http://tools.ietf.org/html/rfc1510#section-5.2: The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding shall specify the UTC time zone (Z) and shall not include any fractional portions of the seconds. It further shall not include any separators. Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm on 6 November 1985 is 19851106210627Z.

To fix this try the following in github.com/jmckaskill/asn1: diff --git a/marshal.go b/marshal.go index 594c932..19d5e49 100644 --- a/marshal.go +++ b/marshal.go @@ -318,7 +318,7 @@ func marshalTwoDigits(out *forkableWriter, v int) (err error) { }

func marshalGeneralizedTime(out *forkableWriter, t time.Time) (err error) {

• s := t.UTC().Format("20060102150405.000Z0700")
• s := t.UTC().Format("20060102150405Z") _, err = out.Write([]byte(s)) return }

I'll test it against active directory later. If it works I'll check it in.

[maspling]

Alright!

It seems I'm now getting "ASN.1 structure error: explicitly tagged member didn't match" errors.

[BryceDFisher]

I'm getting the same error as Yugge above when attempting doing kerb.NewCredential(..) against an AD server.

It appears the tag is as follows: Tag: , {optional:false explicit: true application:true defaultValue: tag:0xv208000e58 stringType:0 timeType:0 set:false omitEmpty:false}

[sid6mathur]

Same here while authenticating with an MIT Kerberos v5 v1.13 server: ASN.1 structure error: explicitly tagged member didn't match