w2k kerberos logon

Luke Howard lukeh at PADL.COM
Sat Dec 14 18:00:50 EST 2002

>Luke, from my admittedly lesser knowledge of the kerberos protocol, i
>thought a realm was a dns domain name.

See section 7.1 of RFC 1510. It appears that while Active Directory may
not be in the spirit of this, they are within the letter.

>would you be happy to explain further "sets the canonicalize flag" ? - is it
>some sort of a flag to request from the client to the directory server to
>query the directory and map the netbios name to its dns equivalent.

A client can set the canonicalize flag in a request to the KDC. It set,
the client will accept a different principal name in the reply than the
one it requested.

Microsoft first specified this flag for Active Directory; they use it
to support legacy NetBIOS names as well as "enterprise" principal names.

-- Luke

Luke Howard | PADL Software Pty Ltd | www.padl.com

More information about the Kerberos mailing list