[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

Andrew Bartlett abartlet at samba.org
Sun Feb 15 19:14:46 MST 2015

On Mon, 2015-02-16 at 01:01 +0000, Sreekanth Nadendla wrote:
> Hello Andrew, Our product team finds that no explicit change to our documents is needed. Below is the summary of explanation 
> covering the 3 scenarios we have been investigating.
> 1.)	When canonicalization is NOT asked for, the Cname in the KDC reply is identical to the Cname that was sent in the request.  This is exactly RFC behavior, so MS-KILE doesn’t need to describe this separately.
> 2.)	When canonicalization is asked for, the Cname in the KDC reply will be the user account’s normalized SAM account name.  
> So this could result in mismatch of username between what is present in the Kerberos ticket and the value specified in the Request.
> Section 6 from http://tools.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-11 describes this.  
> 3.)	The KDC always returns its proper realm name.  This is not part of
> the canonicalize flag.  Per the RFC, realm names are case sensitive
> and so sending a realm name with the case modified should result in
> Kerberos rejecting the authentication outright since the realm name
> provided is not known.  Windows allows realm names to be case
> insensitive which is why you can get away with this.

Where is the Windows behaviour note for this?


Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list