Problem with case insensitive user names in AD

Douglas E. Engert deengert at anl.gov
Fri Jan 12 11:42:01 EST 2007 


Srinivas Cheruku wrote:
> Hi,
> 
> We have an environment consisting of Win2k and Win2k3 servers and 
> workstations with Window XP SP2.
> The users created in AD are with lower case user principal names. eg: 
> scheruku at XXX.COM

We ran into a problem like this too. Account names in AD are case insensitive.
Kerberos principals are case sensitive. So windows will accept any case
and will return a ticket with some case. I think W2K3 is trying to
do the best it can in this case :-).

(Java had a problem with pre-auth and the salt with DES, as it assumed it
know the principal with case and thus the salt. The salt is case sensitive.
Java 1.6 fixed this.)

Our solution, use lower case account names for users.

This means you can not have two principal names in AD that differ
only by case.

> 
> While logging to Win2k3 AD using winlogon from WinXP, I have used the 
> user name in mixed case eg: Scheruku in the WinLogon screen for 
> authenticating.
> I have observed the following,
> 1. In the Windows Credential cache, the TGT is with the client principal 
> name as Scheruku at XXX.COM though the correct client name (UPN) is 
> scheruku at XXX.COM
> 2. I checked using ethereal and the AS-REQ, contains :
>  2.1 Canonicalization flag set.
>  2.2 client name: Scheruku (as given in logon screen)
> 3. AS-REP
>  3.1 client name: Scheruku (as given in logon screen)
> 
> I think the TGT should be with the client name as that of sAMAccountName 
> which is not the case.
> 
> Then I gave user name as Scheruku at csafe.local (instead of just Scheruku) 
> in the Winlogon screen and authenticated to Win2k3 AD.
> I observed the following now :
> 1. In the Windows Credential cache, the TGT is with the client principal 
> name as scheruku at XXX.COM
> 2. I checked using ethereal and the AS-REQ, contains :
>  2.1 Canonicalization flag set.
>  2.2 client name: Scheruku (as given in logon screen)
> 3. AS-REP
>  3.1 client name: scheruku (same as that of sAMAccountName)

What is the UserPrincipalName ? I believe W2K3 should be
trying to have the ticket match this even with case.

> 
> 
> 
> Thinking that there might be some issue with my Win2k3 AD, I tested the 
> same with Win2k AD. i.e. I have used the user name in mixed case eg: 
> Scheruku and authenticated using WinLogon screen.
> I observed the following now :
> 1. In the Windows Credential cache, the TGT is with the client principal 
> name as scheruku at XXX.COM
> 2. I checked using ethereal and the AS-REQ, contains :
>  2.1 Canonicalization flag set.
>  2.2 client name: Scheruku (as given in logon screen)
> 3. AS-REP
>  3.1 client name: scheruku (same as that of sAMAccountName)
> 
> I don't understand the reason why Win2k3 AD is working differently when 
> compared with Win2k. Can anyone help me to resolve the problem with my 
> Win2k3 server?
> 
> Thanks,
> Srini
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list