Special Characters in Principal Names

Greg Hudson ghudson at MIT.EDU
Mon Aug 5 14:21:52 EDT 2013


On 08/02/2013 12:46 PM, Bram Cymet wrote:
> I am wondering if it is possible to have special characters in principle
> names? For example áharuchio at TEST.LS.CBN.

Sort of.

The Kerberos 5 protocol officially restricts principal names to ASCII
characters, mainly because the ASN.1 type used to communicate principal
components is GeneralString, which can't hold UTF-8 values.

In reality, implementations of Kerberos do not check this; they accept
any octet values in principal names on the wire.  As a result, people
put various kinds of non-ASCII values there.  Sites with Active
Directory in the mix tend to use UTF-8, but other sites reportedly use
different encodings.  This situation is pretty hard to disentangle, so
our implementation currently doesn't make very many assumptions about
octet values in principal names.

A notable exception is the LDAP KDB module.  The Kerberos schema defines
the krbPrincipalName attribute as having syntax
IA5 String (1.3.6.1.4.1.1466.115.121.1.26), which restricts the value to
ASCII characters.  This is what blocks you from using accented
characters in your deployment.

I don't know of a good workaround for you which doesn't involved
switching KDB modules.  My understanding is that FreeIPA has its own
LDAP KDB module (with a different schema from ours) which might not have
this restriction, but I don't have direct experience with it.



More information about the Kerberos mailing list