JAVASEC - Using Java client with Windows 2003 AD with mixed case PrincipalNames

Douglas E. Engert deengert at anl.gov
Thu Dec 2 09:31:09 EST 2004



Luke Howard wrote:

>>AD is stretching clarifications significantly in how it handles case
>>of principal names.  However it's much more usable than what other
>>implementations do.  There was a long and heated discussion between
>>Martin Rex and people at Microsoft over this issue.
> 
> 
> If you are using a Windows 2000 KDC (there's a bug in 2003) and the

(We are using 2003)

> client principals do not have UF_USE_DES_KEY_ONLY set, then you could
> try modifying the Java client to send the "canonicalize" KDC option.


We can live with the MS case handling, now that we understand
what is going on. i.e. users must use the correct case, we may
force all to lower too. If we do this, then the Java will also work,
as the salt will be correct.

The consensus so far is the Java is not doing the PE-AUTH correctly.
we don't want to modify the Java client, we want the Java people to
fix the PRE-AUTH handling.

Sending the canonicalize option won't work with the current Java code
since Java is sending the first AS-REQ with the PA-ENC-TIMESTAMP encrypted
in the wrong key because the wrong salt was used. The Java code does not
try again with the correct salt which is in the KRB_ERROR 25 message.

But the canonicalize option might solve the problem of AD issuing
tickets for principals with any case, so other Kerberos applications
work as expected.



> 
> -- Luke
> 
> --
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list