Support of non-ASCII username/password in KDC of Win2000 serv er

Jeffrey Altman jaltman at columbia.edu
Fri Aug 8 14:43:36 EDT 2003 

I can't speak for Microsoft's handling of non-ASCII names in their KDC. 
  However, if you choose to use non-ASCII names you will be making your 
REALM incompatible with MIT Kerberos and other implementations.  This is 
because the Kerberos protocol as currently implemented does not provide 
a means for specifying the character set to be used.  Therefore, only 
ASCII is safe and portable.

Jeffrey Altman


Tay, William wrote:

> Mike,
> 
> Thanks for pointing out the problem in my email. Please see my original 
> message as shown below.
> Let me know if it's still a problem. Thanks.
> 
> Will
> 
> -----Original Message-----
> From: Mike Friedman [mailto:mikef at ack.Berkeley.EDU]
> Sent: Friday, August 08, 2003 2:02 PM
> To: William.Tay at usa.xerox.com
> Subject: Re: Support of non-ASCII username/password in KDC of Win2000
> server
> 
> Will,
> 
> Others have probably already replied to you on this.  I can't answer
> the Kerberos question definitively because I support an MIT KDC, not
> Win2k.  But I thought it somewhat ironic that your email exhibits a
> part of the very problem it discusses.
> 
> Notice that all four principals you mention look *identical* in email.
> Since email is an ASCII medium (unless you use MIME or some other
> encoding scheme), your non-ASCII characters won't make it through intact.
> Below you'll see exactly what I received in my mailbox;  it actually reads
> funny, because it sounds like you're talking about four occurrences of
> the same ID while wondering why Kerberos is treating them as identical!
> 
> Mike
> 
> ================================================================
> On Fri Aug  8 08:50:58 2003, Tay, William said:
> 
>  > I have a question about Kerberos authentication against a KDC on a 
> Win 2000
>  > server, using non-ASCII username/password. The non-Windows client 
> that I use
>  > is kinit.
>  >
>  > First, I tried to insert the following pairs of username/password in
>  > sequence into the Kerberos KDC of the Win 2000 server:
>  > a. username=decu; password=decu1 
>  > b. username=décu; password=decu2
>  > c. username=deçu; password=decu3
>  > d. username=déçu; password=decu4
>  >
>  > Apparently, the database is recognizing decu, décu, deçu and déçu as the
>  > same string. Hence the pairs in b, c and d cannot be created; it 
> claimed the
>  > username already existed.
>  >
>  > 2. Thinking that decu could be transformed into decu and that 
> username has
>  > to be unique, I tried to only create a pair of username=déçu and
>  > password=decu. Then verified the hypothesis by invoking kinit with
>  > username=decu and password=decu. Result failed.
>  >
>  > 3. Creating only username=decu and password=decu in the KDC, the
>  > authentication was successful.
>  >
>  > Is it true that Windows KDC does not support non-ASCII username/password?
>  >
>  > Thanks.
>  >
>  > Will
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3427 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030808/eeca9446/attachment.bin

More information about the krbdev mailing list