2.4.1.4 Netmon Trace Digest

  • From the Windows Vista operating system client machine, a standard logon process was initiated per the steps listed in section 2.4.1.3. Assuming the initial TCP/IP session remains established between the client and the domain controller (DC), all Address Resolution Protocol (ARP), Netbios (NbtNS) and domain name service (DNS) resolution, TCP flags and server message block (SMB) negotiated dialect remain established. If not, the trace will show these frames establishing an SMB session between the client and domain controller (initiated by the client) as shown in the following example.

    ClientVista   WS200301  ARP  ARP: Request, 192.168.200.3 
    asks for 192.168.200.2
    WS200301   ClientVista  ARP  ARP: Response, 192.168.200.2 at 
    00-C0-9F-23-E7-EE
  • Kerberos clients require a way to locate the Key Distribution Center (KDC); this is done through the use of DNS SRV records and LDAP lookups. The component in Windows that is responsible for dynamic location through SRV records is called the Locator; for more information, see [MS-ADTS] section "Locator". For more information about Kerberos V5, see [RFC4120].

    ClientVista    WS200301  LDAP  LDAP: (CLDAP)Search Request, 
    MessageID: 6, BaseObject: NULL, SearchScope: base Object,SearchAlias:
     neverDerefAliases
    WS200301    Vista  LDAP  LDAP: (CLDAP)Search Result Entry, MessageID: 6, 
    Status: Success
    ClientVista   WS200301  KerberosV5  KerberosV5: AS Request 
    Cname: administrator Realm: PROTOCOL Sname: krbtgt/PROTOCOL
  • The following error message from the server to the client forces the client to prove or pre-authenticate. Pre-authentication takes place during the AS exchange, when the client first authenticates to the KDC. A client pre-authenticates if it supplies additional information that proves it knows the key it shares with the KDC before the TGT is issued. Pre-authentication is done by supplying one or more pre-authentication messages in the PA-data field of the AS-REQ message.

    WS200301    ClientVista  KerberosV5  KerberosV5: KRB_ERROR  - 
    KDC_ERR_PREAUTH_REQUIRED (25)
  • This is the request for the TGT. A TGT is generated using the username and password and is sent to the KDC.

    ClientVista    WS200301  KerberosV5  KerberosV5: AS Request Cname: 
    administrator Realm: PROTOCOL Sname: krbtgt/PROTOCOL 
  • In response to receiving the AS-REQ for a TGT, the KDC authenticates the user by checking that the credentials used in the AS-REQ are the same as that of the user's, as specified in [RFC4120]. The KDC builds an AS-REP from the TGT and other requisite data, and sends it back to the client.

    WS200301    ClientVista  KerberosV5  KerberosV5: AS Response 
    Ticket[Realm: PROTOCOL.LOCAL, Sname: krbtgt/PROTOCOL.LOCAL] 
  • Once the service ticket to the application server is obtained, the client authenticates itself to the server by sending an AP-REQ wrapped in Generic Security Services (GSS) formatting, as specified in section 3.3 and [RFC1964].

    ClientVista    WS200301  KerberosV5  KerberosV5: TGS Request Realm: 
    PROTOCOL.LOCAL Sname: host/vistacnt.protocol.local
    WS200301    ClientVista  KerberosV5  KerberosV5: TGS Response Cname: 
    Administrator 
 
Show: