Support of non-ASCII username/password in KDC of Win2000 serv er

Prabhakaran vaidya prab at apple.com
Fri Aug 8 20:17:30 EDT 2003 

Hi,

I had an instance where a simple ascii character like @ and space char  
also cause problems
in getting tickets. Is there any escape sequence available for these  
special characters
that kerberos uses as separators ?

Somewhere deep in the code I could see \ backslash as an escape char.  
But
other places seem to use it with out the escape.

Any suggestions ?
thanks,
-prab

On Friday, August 8, 2003, at 11:43 AM, Jeffrey Altman wrote:

> I can't speak for Microsoft's handling of non-ASCII names in their  
> KDC.  However, if you choose to use non-ASCII names you will be making  
> your REALM incompatible with MIT Kerberos and other implementations.   
> This is because the Kerberos protocol as currently implemented does  
> not provide a means for specifying the character set to be used.   
> Therefore, only ASCII is safe and portable.
>
> Jeffrey Altman
>
>
> Tay, William wrote:
>
>> Mike,
>> Thanks for pointing out the problem in my email. Please see my  
>> original message as shown below.
>> Let me know if it's still a problem. Thanks.
>> Will
>> -----Original Message-----
>> From: Mike Friedman [mailto:mikef at ack.Berkeley.EDU]
>> Sent: Friday, August 08, 2003 2:02 PM
>> To: William.Tay at usa.xerox.com
>> Subject: Re: Support of non-ASCII username/password in KDC of Win2000
>> server
>> Will,
>> Others have probably already replied to you on this.  I can't answer
>> the Kerberos question definitively because I support an MIT KDC, not
>> Win2k.  But I thought it somewhat ironic that your email exhibits a
>> part of the very problem it discusses.
>> Notice that all four principals you mention look *identical* in email.
>> Since email is an ASCII medium (unless you use MIME or some other
>> encoding scheme), your non-ASCII characters won't make it through  
>> intact.
>> Below you'll see exactly what I received in my mailbox;  it actually  
>> reads
>> funny, because it sounds like you're talking about four occurrences of
>> the same ID while wondering why Kerberos is treating them as  
>> identical!
>> Mike
>> ================================================================
>> On Fri Aug  8 08:50:58 2003, Tay, William said:
>>  > I have a question about Kerberos authentication against a KDC on a  
>> Win 2000
>>  > server, using non-ASCII username/password. The non-Windows client  
>> that I use
>>  > is kinit.
>>  >
>>  > First, I tried to insert the following pairs of username/password  
>> in
>>  > sequence into the Kerberos KDC of the Win 2000 server:
>>  > a. username=decu; password=decu1  > b. username=décu;  
>> password=decu2
>>  > c. username=deçu; password=decu3
>>  > d. username=déçu; password=decu4
>>  >
>>  > Apparently, the database is recognizing decu, décu, deçu and déçu  
>> as the
>>  > same string. Hence the pairs in b, c and d cannot be created; it  
>> claimed the
>>  > username already existed.
>>  >
>>  > 2. Thinking that decu could be transformed into decu and that  
>> username has
>>  > to be unique, I tried to only create a pair of username=déçu and
>>  > password=decu. Then verified the hypothesis by invoking kinit with
>>  > username=decu and password=decu. Result failed.
>>  >
>>  > 3. Creating only username=decu and password=decu in the KDC, the
>>  > authentication was successful.
>>  >
>>  > Is it true that Windows KDC does not support non-ASCII  
>> username/password?
>>  >
>>  > Thanks.
>>  >
>>  > Will
>> ---------------------------------------------------------------------- 
>> --
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
> <smime.p7s>_______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list