[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
Andrew Bartlett
abartlet at samba.org
Sun Feb 15 19:14:46 MST 2015
On Mon, 2015-02-16 at 01:01 +0000, Sreekanth Nadendla wrote:
> Hello Andrew, Our product team finds that no explicit change to our documents is needed. Below is the summary of explanation
> covering the 3 scenarios we have been investigating.
>
>
> 1.) When canonicalization is NOT asked for, the Cname in the KDC reply is identical to the Cname that was sent in the request. This is exactly RFC behavior, so MS-KILE doesn’t need to describe this separately.
>
> 2.) When canonicalization is asked for, the Cname in the KDC reply will be the user account’s normalized SAM account name.
> So this could result in mismatch of username between what is present in the Kerberos ticket and the value specified in the Request.
>
> Section 6 from http://tools.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-11 describes this.
>
> 3.) The KDC always returns its proper realm name. This is not part of
> the canonicalize flag. Per the RFC, realm names are case sensitive
> and so sending a realm name with the case modified should result in
> Kerberos rejecting the authentication outright since the realm name
> provided is not known. Windows allows realm names to be case
> insensitive which is why you can get away with this.
Where is the Windows behaviour note for this?
Thanks,
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list