Problem with case insensitive user names in AD
Douglas E. Engert
deengert at anl.gov
Fri Jan 12 14:47:36 EST 2007
Tim Alsop wrote:
> Douglas, Srinivas,
>
> During my testing I have observed strange, inconsistent results, but
> similar to the findings of yourself and Srinivas. See below :
>
> I have found that you need to use the default enc type for user accounts
> (e.g. RC4-HMAC), e.g. you do not have the "Use DES" flag set in the
> account properties. If the "Use DES" flag is set, then some issues,
> which MS have decided not to fix (to encourage use of non-DES ciphers)
> become aparent related to case sensitivity of principal names.
AFS is service still using DES. Are you referring to the way the DES salt
is handled?
>
> In my test environment I have a Windows Server 2003 SP1 system running a
> domain with Active Directory. All latest fixes are applied, by using
> Windows Update.
>
> In Windows logon screen, I enter account name USer at xxx.com. After logon,
> principal name of TGT in cache (displayed using kerbtray) = user at XXX.COM
> - This is correct because the principal name in the cache is based on
> the case of account, as it is defined in AD.
>
> In Windows logon screen, I enter account name USer, and select domain
> XXX.COM. After logon, principal name of TGT in cache (displayed using
> kerbtray) = USer at XXX.COM
> - This is NOT correct because the principal name in the cache is based
> on the case of the account name entered in logon screen, which might not
> be the same each time the user logs on.
Don't see this on XP Pro client to DC running W2k3 R2 SP1.
Principal always comes back as lower case.
>
> So, from the above, it looks like there is a bug in MS AD on Windows
> Server 2003 SP1, that occurs only when a UPN is not used during user
> logon to Windows.
>
> However, on a different server running Windows Server 2003 SP1, with all
> latest fixes applied, when I logon using UPN and non-UPN logon I get a
> principal name in the Microsoft cache based on the case of the user as
> defined in AD, and not in any way related to the case of user name
> entered during initial logon. Clearly this is not the same as on my
> other server, as I described above, but it is hard to know what the
> differences are since they were both built the same way.
Yes looks strange.
>
> Also, if I found if I run the same tests described above using a Windows
> 2000 DC that I have in my test environment, then both UPN and non-UPN
> account name logon methods work as I would expect. e.g. the principal
> name in cache after the logon is based on the case of account name in
> AD, not using the case of the user account name entered at initial
> Windows logon.
>
> I would be interested to hear if anybody else has experienced the same
> inconsistencies ?
>
> This is all possible because MS Windows is specifying the canonicalize
> flag in the Kerberos AS-REQ. This is recognised by AD and it allows a
> principal name with a case other than the one requested to be used when
> issuing the TGT. Some implementations of Kerberos do not set the
> canonicalize flag in AS-REQ, and therefore the above may not be observed
> if a non-Microsoft Kerberos library (e.g. MIT code or Java) is used to
> request the TGT. With these implementations the case of the principal in
> cache will be same as case of principal in AS-REQ.
>
> You mentioned in your reply that you "use lower case account names for
> users". This is fine, but what happens if a user enters any upper case
> characters for their account during Windows logon ? Do you still see the
> principal in Microsoft cred cache as <lower-case-name>@<REALM> or is it
> <name-entered-on-logon-screen>@<REALM> ? It would be useful if you can
> confirm this to see if you are getting same results as we are.
kerbtray always shows lower case.
>
> Thanks,
> Tim
>
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Douglas E. Engert
> Sent: 12 January 2007 16:42
> To: Srinivas Cheruku
> Cc: kerberos at mit.edu
> Subject: Re: Problem with case insensitive user names in AD
>
>
>
> Srinivas Cheruku wrote:
>> Hi,
>>
>> We have an environment consisting of Win2k and Win2k3 servers and
>> workstations with Window XP SP2.
>> The users created in AD are with lower case user principal names. eg:
>> scheruku at XXX.COM
>
> We ran into a problem like this too. Account names in AD are case
> insensitive.
> Kerberos principals are case sensitive. So windows will accept any case
> and will return a ticket with some case. I think W2K3 is trying to
> do the best it can in this case :-).
>
> (Java had a problem with pre-auth and the salt with DES, as it assumed
> it
> know the principal with case and thus the salt. The salt is case
> sensitive.
> Java 1.6 fixed this.)
>
> Our solution, use lower case account names for users.
>
> This means you can not have two principal names in AD that differ
> only by case.
>
>> While logging to Win2k3 AD using winlogon from WinXP, I have used the
>> user name in mixed case eg: Scheruku in the WinLogon screen for
>> authenticating.
>> I have observed the following,
>> 1. In the Windows Credential cache, the TGT is with the client
> principal
>> name as Scheruku at XXX.COM though the correct client name (UPN) is
>> scheruku at XXX.COM
>> 2. I checked using ethereal and the AS-REQ, contains :
>> 2.1 Canonicalization flag set.
>> 2.2 client name: Scheruku (as given in logon screen)
>> 3. AS-REP
>> 3.1 client name: Scheruku (as given in logon screen)
>>
>> I think the TGT should be with the client name as that of
> sAMAccountName
>> which is not the case.
>>
>> Then I gave user name as Scheruku at csafe.local (instead of just
> Scheruku)
>> in the Winlogon screen and authenticated to Win2k3 AD.
>> I observed the following now :
>> 1. In the Windows Credential cache, the TGT is with the client
> principal
>> name as scheruku at XXX.COM
>> 2. I checked using ethereal and the AS-REQ, contains :
>> 2.1 Canonicalization flag set.
>> 2.2 client name: Scheruku (as given in logon screen)
>> 3. AS-REP
>> 3.1 client name: scheruku (same as that of sAMAccountName)
>
> What is the UserPrincipalName ? I believe W2K3 should be
> trying to have the ticket match this even with case.
>
>>
>>
>> Thinking that there might be some issue with my Win2k3 AD, I tested
> the
>> same with Win2k AD. i.e. I have used the user name in mixed case eg:
>> Scheruku and authenticated using WinLogon screen.
>> I observed the following now :
>> 1. In the Windows Credential cache, the TGT is with the client
> principal
>> name as scheruku at XXX.COM
>> 2. I checked using ethereal and the AS-REQ, contains :
>> 2.1 Canonicalization flag set.
>> 2.2 client name: Scheruku (as given in logon screen)
>> 3. AS-REP
>> 3.1 client name: scheruku (same as that of sAMAccountName)
>>
>> I don't understand the reason why Win2k3 AD is working differently
> when
>> compared with Win2k. Can anyone help me to resolve the problem with my
>
>> Win2k3 server?
>>
>> Thanks,
>> Srini
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list