Are port numbers supported in server principal names?

Isaac Boukris iboukris at gmail.com
Tue Mar 27 11:46:53 EDT 2018 

On Tue, Mar 27, 2018 at 6:02 PM, Markus Kuhn <Markus.Kuhn at cl.cam.ac.uk> wrote:
> Microsoft's ODBC driver for SQLServer appends a port number
> after a colon to the domain name in a service principal name,
> as in
>
>    MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
>                                ^^^^^
>
> and even relies on that port number to distinguish different
> service instances on the same host:
>
>   "For a TCP/IP connection the SPN is registered in the
>    format MSSQLSvc/<FQDN>:<tcpport>. Both named instances
>    and the default instance are registered as MSSQLSvc,
>    relying on the <tcpport> value to differentiate the instances."
>
>    https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections
>
> Since Microsoft's ODBC Driver for SQL Server is now also available
> for Linux and macOS
>
>    https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/system-requirements
>
> people like myself are now commonly using it with MIT's Kerberos
> client libraries.
>
> This driver requests tickets for service principal names such as
>
>    MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
>
> i.e., with included port number:
>
>    https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver
>
> I suspect that a lot of the mechanics in the MIT Kerberos
> client libraries (e.g., to look up in DNS what
> the realm associated with db0.ad.cl.cam.ac.uk or ad.cl.cam.ac.uk
> is in a cross-realm environment) does not cope with the
> presence of the colon and port number in the SPN (NT-SRV-HST).
>
> For example, the above SPN works in kvno (krb5-1.13.2, Ubuntu 16.04)
> only after I remove the port number (whereas both SPNs are registered
> in our Active Directory KDC):
>
> $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
> kvno: Server not found in Kerberos database while getting credentials for MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
>
> $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk@
> MSSQLSvc/db0.ad.cl.cam.ac.uk@: kvno = 2


Note, I tried to simulate in lab, using version 1.15.2 (fedora), and
it seems to work ok.

On the DC I ran:
setspn -S MSSQLSvc/myhost.acme.com:1433 ACME\apache
setspn -S MSSQLSvc/myhost.acme.com:1444 ACME\tomcat
setspn -S MSSQLSvc/myhost.acme.com ACME\ngix

And then the above kvno gets a ticket to each.

See tshark traces at:
https://pastebin.com/Hb80rs6s

More information about the Kerberos mailing list