Using Java client with Windows 2003 AD with mixed case PrincipalNames

[Jeffrey Altman]

Douglas E. Engert wrote:


> (2) Using the Java 1.4.2 code on the other hand will only work
>     if the case of the Principal name matches the case as stored
>     in the AD.
> 
>     In either case the initial AS_REQ has a PA-ENC-TIMESTAMP.
> 
>     When the case of the name is correct, an AS_REP is retured
>     as expected.
> 
>     In the other case a KRB_ERROR with KRB5KDC_PREAUTH-FAILED (24)
>     is returned, which does have a e-data that has the correct salt.
> 
>     So this may be a Java bug, in that it assumed it could send
>     the AS_REQ with the PA-ENC-TIMESTAMP then when it failed, not
>     checking that it had used the wrong salt and tried again
>     with the correct salt. But if had sent the AS_REQ without the
>     PA-ENC-TIMESTAMP it should have received a KRB-ERROR 25, and
>     handled it like the MIT code.

Although many of us agree that the behavior of Active Directory is
undesireable from a Kerberos perspective because it breaks the 
assumptions we have about case-sensitive authenticated name comparisons,
we also accept that the behavior is beneficial to the end user 
experience within Windows Domain Forests and it is unlikely to be
changed.  Therefore, I would say that the Java code should check the 
salt in the KRB-ERROR to ensure that it used the correct one.  If not, 
it should try again.

Jeffrey Altman



-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu