Problem with case insensitive user names in AD
Srinivas Cheruku
srinivas.cheruku at gmail.com
Fri Jan 12 08:37:57 EST 2007
Hi,
We have an environment consisting of Win2k and Win2k3 servers and
workstations with Window XP SP2.
The users created in AD are with lower case user principal names. eg:
scheruku at XXX.COM
While logging to Win2k3 AD using winlogon from WinXP, I have used the
user name in mixed case eg: Scheruku in the WinLogon screen for
authenticating.
I have observed the following,
1. In the Windows Credential cache, the TGT is with the client principal
name as Scheruku at XXX.COM though the correct client name (UPN) is
scheruku at XXX.COM
2. I checked using ethereal and the AS-REQ, contains :
2.1 Canonicalization flag set.
2.2 client name: Scheruku (as given in logon screen)
3. AS-REP
3.1 client name: Scheruku (as given in logon screen)
I think the TGT should be with the client name as that of sAMAccountName
which is not the case.
Then I gave user name as Scheruku at csafe.local (instead of just Scheruku)
in the Winlogon screen and authenticated to Win2k3 AD.
I observed the following now :
1. In the Windows Credential cache, the TGT is with the client principal
name as scheruku at XXX.COM
2. I checked using ethereal and the AS-REQ, contains :
2.1 Canonicalization flag set.
2.2 client name: Scheruku (as given in logon screen)
3. AS-REP
3.1 client name: scheruku (same as that of sAMAccountName)
Thinking that there might be some issue with my Win2k3 AD, I tested the
same with Win2k AD. i.e. I have used the user name in mixed case eg:
Scheruku and authenticated using WinLogon screen.
I observed the following now :
1. In the Windows Credential cache, the TGT is with the client principal
name as scheruku at XXX.COM
2. I checked using ethereal and the AS-REQ, contains :
2.1 Canonicalization flag set.
2.2 client name: Scheruku (as given in logon screen)
3. AS-REP
3.1 client name: scheruku (same as that of sAMAccountName)
I don't understand the reason why Win2k3 AD is working differently when
compared with Win2k. Can anyone help me to resolve the problem with my
Win2k3 server?
Thanks,
Srini
More information about the Kerberos
mailing list