[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

Sreekanth Nadendla srenaden at microsoft.com
Tue Feb 17 10:10:27 MST 2015

Andrew, from the capture you have provided us (no-canon.enterprise.lc-realm.uc-user.krb5-realm.win2k.upn.pcap), 

Client sent Cname = TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz and the actual submitted Realm from the network capture is WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ.  (It is not w2k12.abartlet.wgtn.cat-it.co.nz)

The client did not ask for canonicalization.
The KDC returned Cname TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz which is exactly what is sent
The KDC returned Crealm WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as expected.

The realm is always normalized per RFC. It's just that if windows AD receives a mixed case realm name, then it will do a case insensitive comparision per MS-KILE Internationalization and Case Sensitivity.

I do not see short-form domain being changed to a DNS-based realm. Please let me know if I am missing something.  

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, February 16, 2015 11:11 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

On Tue, 2015-02-17 at 03:44 +0000, Sreekanth Nadendla wrote:
> Hello Andrew, MS-KILE section “ Internationalization and Case Sensitivity” in mentions that Name comparisons, whether for users or domains MUST NOT be case sensitive in MS-KILE. So a separate WBN is NOT needed.

I still don't see where that allows a short-form domain to be changed into a DNS-based realm, nor a implies that the case of that MUST be transformed to upper case.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list