MS-KDC / MIT Interoperability

[Luke Howard]

Much of this (except for NetBIOS name support, although this may 
arguably be a logical extension) is explained in
draft-swift-win2k-krb-referrals-01.txt.

>Another interesting problem is with service principal names.  Typically, an AD client will request a ticket with a service
>principal in the form HOST/dc.domain at REALM.  If our domain controller (or kdc) resides on dc.ibm.foo.bar, then this would
>be a request for HOST/dc.ibm.foo.bar at IBM.FOO.BAR.  Of course, in certain circumstances, a client can request
>HOST/netbios_name at REALM or if our netbios dc name was NBDC, HOST/NBDC$@IBM.FOO.BAR.  In this circumstance, the dns form
                                                             ^^^^^^^^^^

Surely you mean HOST/NDBC? Name canonicalization with an AD KDC
typically maps HOST/NBDC at REALM or HOST/dc.ibm.foobar at REALM to
NDBC$@REALM. (This is completely dependent on the value of the
servicePrincipalName attribute.)

Supporting name canonicalization properly, particularly in a multiple
realm environment, is difficult without a directory server backended
KDC. (For example, how do you know the canonical realm for a
foreign Kerberos realm? or a UPN suffix in a foreign forest?)

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com