Problem changing expired Windows 2000 passwords
Luke Howard
lukeh at PADL.COM
Wed Aug 18 07:19:29 EDT 2004
>I am not sure if this is useful or not, but we recently noticed
>something odd when logging in with user at REALM. If you login with an
>account name of this format and the account is set to use DES keys the
>client principal name shown in Windows cache is user at domain@REALM
>instead of user at REALM ...
That's because name canonicalization is disabled for users that have
UF_USE_DES_KEY_ONLY set, even if they logon with a UPN (user at suffix).
This behaviour is incorrect according to Microsoft's own referrals
specification.
-- Luke
More information about the Kerberos
mailing list