Pulse with ESP has problems with Kerberos Tickets

Schütz Dominik Dominik.Schuetz at esolutions.de
Fri May 20 05:38:51 PDT 2022 

Hi,

On some Ubuntu 20.04 clients with OpenConnect v9.01 and "--protocol=pulse" we have the problem that with ESP the Kerberos tickets are not correct. If you use the official Pulse UI for Ubuntu and ESP, the problems do not occur.


We get the following messages on port 88:
# tcpdump -i any -nn -q -e host xx.x.x.x
...
11:05:39.369009 Out xx.x.xxx.xxx.51144 > xx.x.x.xx.88: UDP, bad length 2007 > 1368
11:05:39.859779 Out xx.x.xxx.xxx.36940 > xx.x.x.x.88: tcp 1348
11:05:40.370092 Out xx.x.xxx.xxx.53779 > xx.x.x.xx.88: UDP, bad length 2007 > 1368
11:05:42.163732 Out xx.x.xxx.xxx.36946 > xx.x.x.x.88: tcp 1348
11:05:42.419871 Out xx.x.xxx.xxx.57350 > xx.x.x.xx.88: tcp 1348
11:05:43.371782 Out xx.x.xxx.xxx.59108 > xx.x.x.x.88: UDP, bad length 2007 > 1368
11:05:43.703724 Out xx.x.xxx.xxx.57348 > xx.x.x.xx.88: tcp 1348
11:05:44.372870 Out xx.x.xxx.xxx.51144 > xx.x.x.xx.88: UDP, bad length 2007 > 1368
11:05:45.373981 Out xx.x.xxx.xxx.53779 > xx.x.x.xx.88: UDP, bad length 2007 > 1368
11:05:45.439360  In xx.x.x.x.88 > xx.x.xxx.xxx.53000: tcp 0
11:05:46.003763 Out xx.x.xxx.xxx.53002 > xx.x.x.xx.88: tcp 1348
11:05:49.075745 Out xx.x.xxx.xxx.36946 > xx.x.x.x.88: tcp 1348
11:05:50.375788 Out xx.x.xxx.xxx.59108 > xx.x.x.x.88: UDP, bad length 2007 > 1368
11:05:51.376840 Out xx.x.xxx.xxx.51144 > xx.x.x.x.88: UDP, bad length 2007 > 1368
11:05:51.821741  In xx.x.x.x.88 > xx.x.xxx.xxx.36940: tcp 0
11:05:51.821774  In xx.x.x.x.88 > xx.x.xxx.xxx.36944: tcp 0
11:05:52.377443 Out xx.x.xxx.xxx.53779 > xx.x.x.xx.88: UDP, bad length 2007 > 1368
...


The communication to the Active Directory is also disturbed, so in the case of a:
$ sudo -i

The following is constantly displayed:
[sudo] password for dominik: 
Sorry, try again.
[sudo] password for dominik:

although the password is correct.


The users with the affected problems have a DS-Lite at home, could that be the problem? But why does it work with Pulse UI + ESP but not with OpenConnect + ESP?

Regards,
Dominik
e.solutions GmbH 

Despag-Straße 4a, 85055 Ingolstadt,  

Phone +49845833321287
 
Dominik.Schuetz at esolutions.de
Please, find my mail encryption keys at: https://secmail.esolutions.de

Registered Office: 
e.solutions GmbH
Despag-Straße 4a, 85055 Ingolstadt, Germany  
Managing Directors Uwe Reder, Rainer Lange
Register Court Ingolstadt HRB 5221
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6003 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220520/4f34d500/attachment-0001.p7s>

More information about the openconnect-devel mailing list