service name restrictions in AD? problem with kca_service

Douglas E. Engert deengert at
Mon Oct 13 14:52:43 EDT 2003

Dirk Pape wrote:
> Hello,
> maybe I have some related bug with pricipal names in AD, but maybe not
> In article
> <CCB2683E47559142B2DFE0768181A5BBD82535 at campaspe-cq.vic.cmis.CSIRO.AU>,
>  Bob.Smart at wrote:
> > With just kca it worked. With kca_service I got:
> >
> >   get_cert_authent_K5: krb5_mk_req: Server not found in Kerberos database
> >   Try re-authenticating(K5).  Unable to use your tickets to build the
> > necessary authenticator.

Works for me.

But the AD will return a ticket with a PAC which might increase
the ticket size from 240 or so bytes to 1300 bytes or larger. The original
kx509 and KCA code could have problems with large tickets. We increased the
UDP size to 4000 bytes to help with this, but this also introduces fragmented
UDP packets which have thier own problems. 

With the AD there is a way when using the SSPI and LSA to request a ticket
with out a PAC. But this is not implemented in the MIT code. (I have
some modified kx509 code for the SSPI which I have sent the UMich.) 

Microsoft is also looking at a mod to AD to flag a service account 
so a PAC will never be added to tickets for the service. This would
be usefull for AFS as well as KCA which both have restrictions on
the size of the ticket.  

> >
> > However I find this hard to believe since there doesn't seem
> > to be report of such a problem on the web that I can find.
> For the use of the kerberized IMAP-Server cyrus, we need to map a SPN
> imap.hostname to a service account in AD.
> I tried this with ktpass but mapping always failed with an error and the
> SPN was not attached to the account (I tried this with new accounts
> also).
> But it was possible to attach imap/hostname to the same account. Hence
> there seems to be some problem which is related to syntax of SPNs
> allowed in AD.
> To your question about using computer accounts:
> In W2k-Server I have succeeded to map a SPN to a computer account by
> mapping to the user host$, where host is the hostname. This did not work
> when I recently tried on a 2003 Server.
> Dirk.
> --
> Dr. Dirk Pape (Leiter des Rechnerbetriebs)
> FB Mathematik und Informatik der FU-Berlin
> Takustr. 9, 14195 Berlin
> Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190
> ________________________________________________
> Kerberos mailing list           Kerberos at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list