[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

Sreekanth Nadendla srenaden at microsoft.com
Tue Feb 17 21:19:12 MST 2015

Andrew,  when you execute kinit user at SHORTDOMAIN, the outgoing AS request uses string user at SHORTDOMAIN as Cname but still would be sent with proper realm name i.e. Crealm is still WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ. Perhaps this is making you think that the Windows AD switched realm part from SHORTDOAMIN to  REALM.COM. Also note that the AS response would also have the same Crealm and not SHORTDOMAIN. 

If you think I am missing something here can you point me to the fields in the network trace or any other supporting data ? 

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, February 17, 2015 1:24 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

On Tue, 2015-02-17 at 17:10 +0000, Sreekanth Nadendla wrote:
> Andrew, from the capture you have provided us 
> (no-canon.enterprise.lc-realm.uc-user.krb5-realm.win2k.upn.pcap),
> Client sent Cname = TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz 
> and the actual submitted Realm from the network capture is 
> WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ.  (It is not 
> w2k12.abartlet.wgtn.cat-it.co.nz)
> The client did not ask for canonicalization.
> The KDC returned Cname 
> TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz which is exactly what is sent The KDC returned Crealm WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as expected.
> The realm is always normalized per RFC. It's just that if windows AD receives a mixed case realm name, then it will do a case insensitive comparision per MS-KILE Internationalization and Case Sensitivity.
> I do not see short-form domain being changed to a DNS-based realm. Please let me know if I am missing something.  

I'm sorry, I didn't raise that particular sub-case, because I thought that it would follow out of a clearer explanation of the general case.
As you continue to insist that this area is all perfectly unusual, and fits into an un-indented (in my view) reading of the non-canonicalisation case (that an infinite variety of principals would be generated on the KDC, that all happen to share the same underlying identity/username/password), I'm trying to make clear that the Windows behaviour is special, under-documented and unique.

As demonstration please examine that, along with the case transformation for the realm, canonicalisation or not, if you kinit for user at SHORTDOMAIN, the ticket returned is for user at REALM.COM.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list