non-ascii password in kerberos authentication

Paul Moore paul.moore at
Fri Sep 14 17:14:10 EDT 2007

Sorry - I mean DES or RC4? 

-----Original Message-----
From: Paul Moore 
Sent: Friday, September 14, 2007 2:14 PM
To: 'Xu Qiang'; krbdev at
Subject: RE: non-ascii password in kerberos authentication


DES does not define the password behaviour for non-ascii, MSFT has implemented in such a way that it is basically impossible to interop with (they translate the the unicode to an OEM 8 bit char set, but which one they use depends on the the language pack in use on the DC - which you cannot discover remotely)

HMAC does define the non-ascii behaviour so it should be OK (in my experience) 

-----Original Message-----
From: krbdev-bounces at [mailto:krbdev-bounces at] On Behalf Of Xu Qiang
Sent: Friday, September 14, 2007 2:14 AM
To: krbdev at
Subject: non-ascii password in kerberos authentication

Hi, all:

Our printers are using krb5 developed by MIT as a client for kerberos authentication. 

Recently, i found that when a user tried to log into the printer against Windows 2003 Server running kerberos service, it will fail if his/her password contains non-ascii characters. However, it will succeed if only the username contains non-ascii characters. 

There are two users with <username>/<password> in ADS as:
1. "stmêé/Fair123"
This can be authenticated.

2. "stm123/êéFair123"
This cannot be authenticated.

Although kerberos cannot authenticate the second one, LDAP can. That shows that kerberos algorithm still has some defects in it.

I looked at the source code, and found the same algorithm is used to convert to latin characters to utf characters, for both username and password. So essentially it should work for password, since username containing non-ascii chars can be passed, right?

I got confused and want to know if any extra work need be done for password having non-ascii chars in it.

Xu Qiang

krbdev mailing list             krbdev at

More information about the krbdev mailing list