[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
srenaden at microsoft.com
Tue Feb 17 21:50:46 MST 2015
Hello Andrew, below are the answers for your questions (numbered for convenience).
1) A valid Server Principal Name would be samAccountName @ REALM
2) And for a Service it would be ServicePrinicpalName @ REALM
3) A valid Client Principal Name would be userPrincipalName or samAccountName at REALM
Where are details for #1, #2, #3 ?
4) What specifically determines that a principal is a valid Kerberos service principal? I can't find where this is actually written down, and I'm not entirely clear what exact restriction I should implement on these mappings, if any.
For #1 above i.e. format of "Server Principal Name" refer to MS-DISO section 188.8.131.52. Nothing new to add apart from what MIT Kerberos docs describe "Server Principal" to be.
For #2 i.e. format of "Service Principal Name" text in MS-ADTS section 184.108.40.206.220.127.116.11 servicePrincipalName seems to answer it adequately.
"MS-KILE section 18.104.22.168 Naming " also describes this and [SPNNAMES] reference in MS-KILE points to the following
For #3, i.e. format of "Client Principal” ,
See MS-ADTS section 22.214.171.124.1 Simple Authentication
The UPN of an object is either:
A value of the userPrincipalName attribute of the object, or
Only for AD DS: The value of the sAMAccountName attribute of the object, followed by a "@" sign, followed by either:
The DNS name of a domain in the same forest as the object, or
A value in the uPNSuffixes attribute of the Partitions container in the config NC replica.
Also see MS-LSAT section 126.96.36.199.4 Account Domain Principal View
Default User Principal Names is constructed using the following rules:
For #4, It is not clear what you mean by valid service principal. We know the rules of constructing an SPN and anything that follows the syntax is a valid one. The Active Directory finds a match to identify the user/machine account given an SPN. As for restrictions on these fields, section "188.8.131.52.1.3 Uniqueness Constraints" in MS-ADTS answers it.
Microsoft Windows Open Specifications
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, January 28, 2015 7:51 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
In MS-KILE, following on from 114121712176508 which is in a bit of a dead end, I'm wondering about where the mapping between the values in LDAP and the valid values for client and server principal names in Kerberos is specified?
We 'know' most of this - either a userPrincipalName or the samAccountName @ REALM (or netbios domain) is a valid client principal, and samAccountName @ REALM or servicePrinicpalName @ REALM is a valid server principal, but I can't find where this is actually written down, and I'm not entirely clear what exact restriction I should implement on these mappings, if any.
In particular, what specifically determines that a principal is a valid Kerberos service principal?
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol