MS-KDC / MIT Interoperability

Luke Howard lukeh at PADL.COM
Wed Jun 11 02:34:55 EDT 2003

Much of this (except for NetBIOS name support, although this may 
arguably be a logical extension) is explained in

>Another interesting problem is with service principal names.  Typically, an AD client will request a ticket with a service
>principal in the form HOST/dc.domain at REALM.  If our domain controller (or kdc) resides on, then this would
>be a request for HOST/ at IBM.FOO.BAR.  Of course, in certain circumstances, a client can request
>HOST/netbios_name at REALM or if our netbios dc name was NBDC, HOST/NBDC$@IBM.FOO.BAR.  In this circumstance, the dns form

Surely you mean HOST/NDBC? Name canonicalization with an AD KDC
typically maps HOST/NBDC at REALM or HOST/ at REALM to
NDBC$@REALM. (This is completely dependent on the value of the
servicePrincipalName attribute.)

Supporting name canonicalization properly, particularly in a multiple
realm environment, is difficult without a directory server backended
KDC. (For example, how do you know the canonical realm for a
foreign Kerberos realm? or a UPN suffix in a foreign forest?)

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the krbdev mailing list