Kerberos bad password error

  • 249 Views
  • Last Post 11 April 2018
m4ppy posted this 07 April 2018

I have an interesting issue. I am using two products that send the user name and password via an RDP session to a server to automatically log you in. The products are CyberArk and VisionApp 2016.

  The issue, if I have a password greater than 14 characters then I get a bad password error and enabling Kerberos debug returns 0x18 bad password, I can manually enter the password at the failed login screen and can login successfully. This issue is only on windows 2008 R2 servers running Citrix. This works to other 2008 R2 servers and fine to 2012 R2 Citrix servers. Its only 2008 R2 Citrix servers.

  Any ideas. Dropping the password to 14 and it transparently logs in fine. We have a standard password policy of 15, and I don’t want to change this.

  Thanks   Chris Mapp

 





Marsh Ltd. Registered in England and Wales Number: 1507274
Registered office 1 Tower Place West, Tower Place, London, EC3R 5BU.

Marsh Ltd is authorised and regulated by the Financial Conduct Authority.

This message and any attachments are confidential.
If you have received this message in error please delete it from your system.
If you require any assistance please notify the sender. Thank you.

Order By: Standard | Newest | Votes
Ravi.Sabharanjak posted this 07 April 2018

Sounds like there is a bug in the RDP negotiation to the 2008 R2 servers. The GUI bypasses the bug, the mechanism that the cyberark connection is going through might be truncating the password on the Citrix server side.
Does the same issue happen for connections to a non-citrix server of the same OS?
-Ravi


show

GuyTe posted this 08 April 2018

14 characters sounds like LM password length limitation.



Is CyberArk passing the cleartext password or is it using credssp/negotiate?

Is NLA enabled on the Citrix side?

 

Guy

 

show

webster posted this 08 April 2018

I reached out to a fellow CTP from Germany who was a PM on that product many years ago. His reply:

 

Wow Visionapp, that is long ago. As you might know the company is sold to ASG and I’m not aware if the product is an active one at ASG. But to your problem, yes this is a “dump” restriction. I don’t know why exactly,

but passwords have to be not longer than 14 chars. As far as I know it’s not documented, so that makes installation more funny.

 

</end>

 

Another fellow CTP, also from Germany, was a dev on that product way back when, we are trying to get some info from him.

 



Thanks

 

 

Carl Webster

Citrix Technology Professional Fellow

| IGEL Tech Community Insider | Parallels VIPP

http://www.CarlWebster.com

The Accidental Citrix Admin



 

show

ken posted this 10 April 2018

From memory, CyberArk uses an ActiveX control to pass user input to the web front end (PVWA), which then talks to the PSM (TS gateway), which passes creds to the target server. Or something like

that.

 

In older versions, you had to disable NLA on the PSM. IIRC this is fixed in newer versions (v9+). Have you checked with CyberArk support? Because I’m reasonably sure this is a known issue (caveat:

may not be your specific issue).

 

Cheers

Ken

 

 

show

m4ppy posted this 11 April 2018

Hi Ken,

 

I am using the latest version 9.9.5 (I know 10.2 is out), and NLA is disabled. It has me scratching my head as its only affecting servers with Citrix installed. I need to take some

deeper traces to see how the password is being sent from machines. You are right in that it still uses an activex control to manage the connections.



 

I was hoping someone had seen it before, as these are not new products. I have been reading some parts of Citrix only like a max of 14 characters, and I also need to see if the issue

is to do with the credential provider and if Citrix has a listener that’s causing the issue.



 

I can see with in the event logs on the dc’s it’s a bad Kerberos password failing for pre-authentication. Dropping the password to 14 works fine.



 

Let me dig some more and will update once I work it out.



 



Thanks

 

Chris Mapp,

Global Active Directory - Team Leader

Marsh & McLennan Companies

Global Technology Infrastructure

(MGTI) | Centralized Operations


No 4 St Paul’s Square, Old Hall Street, Liverpool, L3 9SJ


Tel +44 151 242 7029 | Mobile +44 7824 548 873 | chris.mapp@xxxxxxxxxxxxxxxx


www.mmc.com



 

show

Close