FW: Kerberos question/bug

William HARDY whardy at pictet.com
Fri Dec 29 02:38:37 EST 2017 

Hi Greg,



Many thanks for taking the time to answer my question.



The reason I ask is because we have a case where two different browsers set different names in the "KerberosString" / server host field. One sets the actual FQDN corresponding to the Host A record of the server. The other uses a CNAME associated to the Host A record, the behavior seems quite random. If I understand your email, the RFC 4120 does not specify what needs to be placed in here (Host A, CNAME etc...), it is up to the browser editor to decide what is placed into this field, right?



[cid:image001.png at 01D3807F.2B376950]



Thanks,

William




-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu]
Sent: jeudi 28 décembre 2017 20:44
To: William HARDY <whardy at pictet.com>; 'kerberos at mit.edu' <kerberos at mit.edu>
Subject: Re: FW: Kerberos question/bug



On 12/28/2017 02:18 AM, William HARDY wrote:

> What is supposed to be in the TGS-REQ

> (Kerberos->tgs-req->req-body->sname->name-string->KerberosString: ? )



sname contains the server principal name.  RFC 4120 describes the protocol in detail.



> It seems that from the same machine (resolving on the same DNS servers), the contents of this field differs in a Wireshark capture depending on the application used event though the destination server is the same. What is supposed to be in "KerberosString" field ? What determines the content of this field ?



It is common for server principal names to have two components (two KerberosStrings in the name-string sequence), where the first names the application protocol and the second names the server host.  So the first component might be "host" (typically for ssh) or "ldap" or "HTTP", and the second is the FQDN of the server host.



 
This message is not intended for persons who are citizens of, domiciled or resident in, or entities registered in a country or a jurisdiction in which its distribution, publication, provision or use would violate current laws and regulations. <br> <br>The content of this message is confidential and can only be read and/or used by its addressee. The Pictet Group is not liable for the use, transmission or exploitation of the content of this message. Therefore, any form of reproduction, copying, disclosure, modification and/or publication of the content is under the sole liability of the addressee of this message, and no liability whatsoever will be incurred by the Pictet Group. The addressee of this document agrees to comply with the applicable laws and regulations in the jurisdictions where they use the information reproduced in this document.<br>If you have received this e-mail message in error, please destroy it and delete it from your computer.<br>

More information about the Kerberos mailing list