Wednesday, 16 July 2014

Experiment to see what Happens when Kerberos Ticket Size is Greater than 12000 Bytes

In my lab environment, the answer is “nothing different to if the packet size is less than 12000 Bytes”. I’d been hoping for a different result, never mind...

From this post by Shane Cothran:

“The MaxTokenSize by default is 12000 bytes. ... since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. ... with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes. ... we are recommending ... MaxTokenSize no larger than 48000 bytes...”

My lab contains Windows 7 and Windows 2008 R2, so, manufacturing a user with a Kerberos ticket size of > 12000 Bytes should lead to something interesting (it didn’t.)

After reading Problems with Kerberos authentication when a user belongs to many groups and from Shane Cothran’s post “keep in mind there is a hard limit of 1,015 groups a user can be a member of” - creating a user with a lot of groups seems like a good start to get to the 12000 bytes size.

Using PowerShell to Create Groups and add to a User Account

PS C:\> Get-Module -ListAvailable
PS C:\> Import-Module ActiveDirectory

Creating a group using PowerShell:

PS C:\> NEW-ADGroup –name “group1” –groupscope Global –path “OU=test,DC=lab,DC=priv”

This can be scripted to create 1000 groups.

Then create a user and add it to a group:

PS C:\> Add-ADGroupMember -Identity “group1” -Members “testuser”

And repeat for all 1000 groups.

Testing Part 1

Connect to a CIFS share - with a user that’s not got over 900 groups - from a test machine.

c:\>whoami
lab\naadmin

c:\>net use T: \\priclu1v1-cli\v_PKD$
The command completed successfully.

c:\>ipconfig
   IPv4 Address. . . . . . . . . . . : 10.10.10.31

And confirm we are indeed using Kerberos:

PRICLU1::> cifs session show -fields auth-mechanism,address,windows-user
node     vserver   address     auth-mechanism windows-user
-------- --------- ----------- -------------- ------------
NACLU1N1 PRICLU1V1 10.10.10.31 Kerberos       LAB\NAADMIN

Then try connecting with the testuser created above. Does it work or not?

C:\Users\testuser>whoami
lab\testuser

C:\Users\testuser>net use T: \\priclu1v1-cli\v_PKD$
The command completed successfully.

C:\Users\testuser>ipconfig
   IPv4 Address. . . . . . . . . . . : 10.10.10.31

PRICLU1::> cifs session show -fields auth-mechanism,address,windows-user
node     vserver   address     auth-mechanism windows-user
-------- --------- ----------- -------------- ------------
NACLU1N1 PRICLU1V1 10.10.10.31 Kerberos       LAB\testuser

It does indeed work and it’s using Kerberos.

Increasing the Size of the Kerberos Ticket

The token size was not greater than 12000 bytes.

Using the Get-TokenSizeReport.ps1 from:

Checking the token of user testuser in domain LAB.PRIV
There are 1001 groups in the token.
- 1 are domain local security groups.
- 1000 are domain global scope security groups inside the users domain.
- 0 are domain global scope security groups outside the users domain.
- 0 are universal security groups inside the users domain.
- 0 are universal security groups outside the users domain.
The primary group is Domain Users.
There are 0 SIDs in the users SIDHistory.
The current userAccountControl value is 66048.
Token size is 9240 and the user is not trusted for delegation.

So, thet’s trust it for delegation to increase the size of the Kerberos ticket.

Using instructions from Suprej Venkat's blog to make the ‘Delegation’ tab appear in Windows Server 2008:

C:\Users\Administrator>setspn -A HTTP/test.lab.priv LAB\testuser
Registering ServicePrincipalNames for CN=testuser,OU=~USERS,DC=lab,DC=priv
        HTTP/test.lab.priv
Updated object

Image: Trusting a User for Delegation
This makes the token size:

Checking the token of user testuser in domain LAB.PRIV
There are 1001 groups in the token.
- 1 are domain local security groups.
- 1000 are domain global scope security groups inside the users domain.
- 0 are domain global scope security groups outside the users domain.
- 0 are universal security groups inside the users domain.
- 0 are universal security groups outside the users domain.
The primary group is Domain Users.
There are 0 SIDs in the users SIDHistory.
The current userAccountControl value is 590336.
Token size is 18480 and the user is trusted for delegation.
Processed 8 of 8 user accounts = 100.00 % complete.

Over 18480 bytes, so we try again:

Testing Part 2

C:\Users\testuser>net use T: \\priclu1v1-cli\v_PKD$
The command completed successfully.

PRICLU1::> cifs session show -fields auth-mechanism,address,windows-user
node     vserver   address     auth-mechanism windows-user
-------- --------- ----------- -------------- ------------
NACLU1N1 PRICLU1V1 10.10.10.31 Kerberos       LAB\testuser

And it still works!

(Which was not what I’d been expecting - I guess the Kerberos ticket size got increased by a Windows update sometime?)

Further Reading

No comments:

Post a Comment