w2k kerberos logon

Graham Turner gturner at ipcomputers.demon.co.uk
Sun Dec 15 14:43:03 EST 2002

Luke, thanks for these most helpful response - while i don't fully
understand this process of canonicalization (the MS whitepaper or RFC 1510
don't seem to have further information), I am able to see that there is a
mechanism by this downlevel name gets mapped to its DNS equivalent,

Without this i was failing to see how the Kerberos auth process could
succeed by DNS and would therefore have to fallback the relative nastiness

If you have any references on the Kerberos I would be a glad recipient.


"Luke Howard" <lukeh at PADL.COM> wrote in message
news:200212142300.KAA61250 at au.padl.com...
> >Luke, from my admittedly lesser knowledge of the kerberos protocol, i
> >thought a realm was a dns domain name.
> See section 7.1 of RFC 1510. It appears that while Active Directory may
> not be in the spirit of this, they are within the letter.
> >would you be happy to explain further "sets the canonicalize flag" ? - is
> >some sort of a flag to request from the client to the directory server to
> >query the directory and map the netbios name to its dns equivalent.
> A client can set the canonicalize flag in a request to the KDC. It set,
> the client will accept a different principal name in the reply than the
> one it requested.
> Microsoft first specified this flag for Active Directory; they use it
> to support legacy NetBIOS names as well as "enterprise" principal names.
> -- Luke
> --
> Luke Howard | PADL Software Pty Ltd | www.padl.com
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list