[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
Sreekanth Nadendla
srenaden at microsoft.com
Tue Feb 17 21:50:46 MST 2015
Hello Andrew, below are the answers for your questions (numbered for convenience).
1) A valid Server Principal Name would be samAccountName @ REALM
2) And for a Service it would be ServicePrinicpalName @ REALM
3) A valid Client Principal Name would be userPrincipalName or samAccountName at REALM
Where are details for #1, #2, #3 ?
4) What specifically determines that a principal is a valid Kerberos service principal? I can't find where this is actually written down, and I'm not entirely clear what exact restriction I should implement on these mappings, if any.
ANSWERS:
=========
For #1 above i.e. format of "Server Principal Name" refer to MS-DISO section 7.4.5.5. Nothing new to add apart from what MIT Kerberos docs describe "Server Principal" to be.
For #2 i.e. format of "Service Principal Name" text in MS-ADTS section 3.1.1.5.3.1.1.4 servicePrincipalName seems to answer it adequately.
"MS-KILE section 3.1.5.11 Naming " also describes this and [SPNNAMES] reference in MS-KILE points to the following
https://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/ms676921(v=vs.85).aspx
For #3, i.e. format of "Client Principal” ,
See MS-ADTS section 5.1.1.1.1 Simple Authentication
<SNIPPET>
The UPN of an object is either:
A value of the userPrincipalName attribute of the object, or
Only for AD DS: The value of the sAMAccountName attribute of the object, followed by a "@" sign, followed by either:
The DNS name of a domain in the same forest as the object, or
A value in the uPNSuffixes attribute of the Partitions container in the config NC replica.
</SNIPPET>
Also see MS-LSAT section 3.1.1.1.4 Account Domain Principal View
<SNIPPET>
......
Default User Principal Names is constructed using the following rules:
.....
</SNIPPET>
For #4, It is not clear what you mean by valid service principal. We know the rules of constructing an SPN and anything that follows the syntax is a valid one. The Active Directory finds a match to identify the user/machine account given an SPN. As for restrictions on these fields, section "3.1.1.5.1.3 Uniqueness Constraints" in MS-ADTS answers it.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, January 28, 2015 7:51 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
In MS-KILE, following on from 114121712176508 which is in a bit of a dead end, I'm wondering about where the mapping between the values in LDAP and the valid values for client and server principal names in Kerberos is specified?
We 'know' most of this - either a userPrincipalName or the samAccountName @ REALM (or netbios domain) is a valid client principal, and samAccountName @ REALM or servicePrinicpalName @ REALM is a valid server principal, but I can't find where this is actually written down, and I'm not entirely clear what exact restriction I should implement on these mappings, if any.
In particular, what specifically determines that a principal is a valid Kerberos service principal?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list