Are port numbers supported in server principal names?

Markus Kuhn Markus.Kuhn at cl.cam.ac.uk
Tue Mar 27 11:02:14 EDT 2018 

Microsoft's ODBC driver for SQLServer appends a port number
after a colon to the domain name in a service principal name,
as in

   MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
                               ^^^^^

and even relies on that port number to distinguish different
service instances on the same host:

  "For a TCP/IP connection the SPN is registered in the
   format MSSQLSvc/<FQDN>:<tcpport>. Both named instances
   and the default instance are registered as MSSQLSvc,
   relying on the <tcpport> value to differentiate the instances."

   https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections

Since Microsoft's ODBC Driver for SQL Server is now also available
for Linux and macOS

   https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/system-requirements

people like myself are now commonly using it with MIT's Kerberos
client libraries.

This driver requests tickets for service principal names such as

   MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@

i.e., with included port number:

   https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver

I suspect that a lot of the mechanics in the MIT Kerberos
client libraries (e.g., to look up in DNS what
the realm associated with db0.ad.cl.cam.ac.uk or ad.cl.cam.ac.uk
is in a cross-realm environment) does not cope with the
presence of the colon and port number in the SPN (NT-SRV-HST).

For example, the above SPN works in kvno (krb5-1.13.2, Ubuntu 16.04)
only after I remove the port number (whereas both SPNs are registered
in our Active Directory KDC):

$ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
kvno: Server not found in Kerberos database while getting credentials for MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@

$ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk@
MSSQLSvc/db0.ad.cl.cam.ac.uk@: kvno = 2

I could not find any mention of port numbers on service principal names
in MIT Kerberos related documentation or RFC 4120, but Microsoft seems
to consider this an essential feature, at least in its ODBC driver
for SQLServer.

Is this a known problem?

Is there any chance that MIT Kerberos (implementation and spec)
could be extended in future to allow port numbers after a colon in SPNs?

At first glance, it seems a perfectly useful extension to me.

Best regards,

Markus


P.S.: I am aware of the syntactic ambiguity caused by the fact that
colons are already used in numeric IPv6 addresses. One solution for
that may be to follow the syntax proposed in

    https://tools.ietf.org/html/rfc2732

for numeric IPv6 addresses and port numbers in URLs, namely to
require square brackets around numeric IPv6 addresses in URLs,
which if applied to SPNs would then look like

   MSSQLSvc/[2001:630:212:228:6069:62ff:fedc:c05b]:1433@

-- 
Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain

More information about the Kerberos mailing list