February 2008 - Posts

Friday, February 29, 2008 5:46 PM

Service Principal Name Headache

Yet another post to remind myself just in case I forgot... again.

Troubleshooting Kerberos authentication is a pain. 

Rules of thumb:

"Thou shalt not have more than one service account delegating for the same service to the same server at one one time."

"If thou has ever find thyself in need to violate rule #1, consider assigning the SPN ONLY to the server account itself."

Say you have Server1 and Server2 which belong to domain DOMAIN and ServiceAccount1 and ServiceAccount2 which need to do HTTP delegation.

See the following scenarios:

Forbidden (2 service accounts are mapped to delegate HTTP service on the same server):

HTTP/Server1 DOMAIN\ServiceAccount1
HTTP/Server1 DOMAIN\ServiceAccount2

Allowed (1 service accounts mapped to delegate HTTP service on 2 different servers):

HTTP/Server1 DOMAIN\ServiceAccount1
HTTP/Server2 DOMAIN\ServiceAccount1

Forbidden (service account and server are mapped to delegate HTTP service on the same server):

HTTP/Server1 DOMAIN\ServiceAccount1
HTTP/Server1 DOMAIN\Server1

Allowed (only server account is allowed to delegate HTTP service on that particular server):

HTTP/Server1 DOMAIN\Server1

Tools that you can use to troubleshoot SPNs issues are:

CSVDE + Excel: You can use these two to find out if you have duplicate SPNs.

For example, run CSVDE -f results.csv -r "(objectClass=User)" -l "sAMAccountName,servicePrincipalName" from Command Prompt and then open results.csv using Excel and do your data filtering there to find out the duplicates.  After you found them, you can remove the offending SPN using SETSPN.

KERBTRAY: You can use this tool to remove cached Kerberos tickets on the fly.  Waiting for the ticket to expire by itself is a pain in the butt.

Share this post: | | | |
Posted by Jimmy Chandra | 2 comment(s)
Filed under: , , ,
Thursday, February 28, 2008 3:07 PM

JavaScript URL Bar Injection

This is more of a reminder for myself since I did something like this before but forgot how to do it again.

OK, a single line injection is easy.

For example: entering javascript:alert("Hello, World!"); into the URL bar will result you a dialog box with Hello, World! in it.  This does not really do anything useful, but you can replace the "Hello, World!" literal with say... document.getElementById("container").innerHTML so you could reflect on the content of the #container element.  That's a little bit more useful for debugging.

Doing javascript:void(document.getElementById("container").innerHTML = "Hello, World!"); is more useful when you want to mess around with an element content.  With this method, you can inject HTML elements into existing DOM.

Now, what if you have a pretty complex code fragment that you want to inject into the URL bar?  For example, when I inject my JavaScript, I want to execute 2, 3, or more JavaScript statement.  How could I do something like that?

It turned out that it wasn't that difficult.

Here is an example of how to do just that...

javascript:void(function(){alert("Boo");alert("Foo");}());

Hopefully I won't forget this again. Hehehe.

Happy JavaScripting...

Share this post: | | | |
Posted by Jimmy Chandra | 1 comment(s)
Filed under: