Kerbeors Windows_ADS: UserID case sensitive issue.

Douglas E. Engert deengert at anl.gov
Thu Mar 9 14:10:34 EST 2006



Surendra Babu wrote:

> Hi Kerberos Team,,
> 
> I am seeing the problem with Case sensitiveness of Username.
> 
> 1. I am wroking on the Kerberos with Windows ADS server. While trying to do
> User AUthentication, I am seeing the following issue. I am using C code not
> Java Libraries
> 
> 2. Our Previous sysadmin guys have set the User names in UPPER case in ADS
> and after that our new sys admin guys have configured the User names in
> Lower case.
> 

Its not the User name, but the userPrinciaplName in an AD account that is
used by Kerberos. The name of the account could stay the same.

> 3. While working with the Kerberos, we found the problem that, case
> sensitiveness is the BIG ISSUE. Because, for some user users, it is upper
> case and for some users it is lower case.

Windows KDC will treat the names as case insensitive, so USER at REALM
and user at REALM would be considered the samp principal.

I think W2000 is a little different then W2003. If I remember, W2000 would
return the case of what was in AD. W2003 will return the case as was sent to
it by the client. (You may want to verify this with some tests.)

Where it makes a difference is with the salt. So you must be using pre-auth,
so the first exchange will return the salt to the client so it can be used
to derive the key from the password and salt.

> 
> 4. Kerberos always look for the case sensitive of USERID. That means, if
> User enter the same case USERID and passwd, then only Authentication
> successful.
> 
> 5. Because of the different sys admins, the USER IDs are not in UNIQUE
> format. Some of them are UPPPER case and some are LOWER case.
> 
> 6. How to resolve this problem? Any idea? Please let me know your thoughts.
> 
> Solution#1: We can change the Server settings: make all of the USERIDs are
> small case. So all of them will be in UNIQUE format. BUt the probelm is: we
> have amy users in terms of 1000s. So this is not a feasible sloution.
>

That was what we did. A few at a time, but there were only a few.

> COuld you please provide me some solution in such a way that, Kerbeors
> client should ignore the case sensitiveness of USERID.

Have the upper case users continue to use uppercase. But keep in mind
that you should not have a principal that differers only by case.

Check the W2000 vs W2003 behavior. Get to all W2003 servers.

> 
> Please let me know your thoughts ASAP. Thanks a lot.
> 
> Regards,
> -Surendra
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list