Using Java client with Windows 2003 AD with mixed case PrincipalNames

Douglas E. Engert deengert at anl.gov
Wed Dec 1 17:13:53 EST 2004 

We are having some problems using Windows AD as a KDC and
the Java 1.4.2 (MIT KfW appear to work as expected). This has
to do with the case of the PrincipalName.

(1) It appears that AD will accept the principal name
     in the case as used by the user, and return a ticket
     in the case the user requested, but will ignore the
     case of the individual letters.

     Windows login or the MIT KfW with a PrincipalName of
     admindee, adminDEE, ADMINDEE or ADMINdee will return
     tickets for all of these, even though their is only
     one account and its UPN is adminDEE.
     Tracings show the MIT code will handle the KRB_ERROR
     message 25 and used the provided salt as expected.

     The initial AS_REQ has no PA_DATA.

     The KRB-ERROR has error code KRB5KDC_ERR_PREAUTH_REQUIRED (25)
     and has e-data with PA-ENCTYPE-INFO (with the salt) ,
     PA-ENC-TIMESTAMP, PA-PK-AS-REP

     The next AS_REQ has PA-ENC-TIMESTAMP and must be using the
     new returned salt.

     The exchange continues as expected.

     But as per the RFCs a PrincipalName is defined using GeneralString
     or now with Clirifications a KerberosString. Note it does not
     discuss the case of these names. So this might be considered a
     bug in AD to ignore the case. We can live with it if we know what
     is going on.


(2) Using the Java 1.4.2 code on the other hand will only work
     if the case of the Principal name matches the case as stored
     in the AD.

     In either case the initial AS_REQ has a PA-ENC-TIMESTAMP.

     When the case of the name is correct, an AS_REP is retured
     as expected.

     In the other case a KRB_ERROR with KRB5KDC_PREAUTH-FAILED (24)
     is returned, which does have a e-data that has the correct salt.

     So this may be a Java bug, in that it assumed it could send
     the AS_REQ with the PA-ENC-TIMESTAMP then when it failed, not
     checking that it had used the wrong salt and tried again
     with the correct salt. But if had sent the AS_REQ without the
     PA-ENC-TIMESTAMP it should have received a KRB-ERROR 25, and
     handled it like the MIT code.

     The Java code is somewhere between 1510 and Clarifications.
     It supports PA-ENC-TIMESTAMP, TCP to the KDC, but only DES.
     1.5.0 also supports ipv6 and des3, but not rc4hmac.

So we are stuck with AD being too lax with the case of the
PrincipalName, and Jave either assuming PA-ENC-TIMESTAMP will work
but not using the returned salt to try again.

We can get around this by not allowing the use of mixed case
PrincipalNames, but this has crept in and its only the Java that has the
problems.

Any comments?




-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list