[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
srenaden at microsoft.com
Tue Feb 17 10:10:27 MST 2015
Andrew, from the capture you have provided us (no-canon.enterprise.lc-realm.uc-user.krb5-realm.win2k.upn.pcap),
Client sent Cname = TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz and the actual submitted Realm from the network capture is WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ. (It is not w2k12.abartlet.wgtn.cat-it.co.nz)
The client did not ask for canonicalization.
The KDC returned Cname TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz which is exactly what is sent
The KDC returned Crealm WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as expected.
The realm is always normalized per RFC. It's just that if windows AD receives a mixed case realm name, then it will do a case insensitive comparision per MS-KILE 126.96.36.199 Internationalization and Case Sensitivity.
I do not see short-form domain being changed to a DNS-based realm. Please let me know if I am missing something.
Microsoft Windows Open Specifications
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, February 16, 2015 11:11 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
On Tue, 2015-02-17 at 03:44 +0000, Sreekanth Nadendla wrote:
> Hello Andrew, MS-KILE section “188.8.131.52 Internationalization and Case Sensitivity” in mentions that Name comparisons, whether for users or domains MUST NOT be case sensitive in MS-KILE. So a separate WBN is NOT needed.
I still don't see where that allows a short-form domain to be changed into a DNS-based realm, nor a implies that the case of that MUST be transformed to upper case.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol