w2k kerberos logon
Luke Howard
lukeh at PADL.COM
Sat Dec 14 18:00:50 EST 2002
>Luke, from my admittedly lesser knowledge of the kerberos protocol, i
>thought a realm was a dns domain name.
See section 7.1 of RFC 1510. It appears that while Active Directory may
not be in the spirit of this, they are within the letter.
>would you be happy to explain further "sets the canonicalize flag" ? - is it
>some sort of a flag to request from the client to the directory server to
>query the directory and map the netbios name to its dns equivalent.
A client can set the canonicalize flag in a request to the KDC. It set,
the client will accept a different principal name in the reply than the
one it requested.
Microsoft first specified this flag for Active Directory; they use it
to support legacy NetBIOS names as well as "enterprise" principal names.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the Kerberos
mailing list