Question about draft-ietf-krb-wg-kerberos-referrals

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Jan 3 07:47:45 EST 2008

I wondered if somebody could give me some advice on the referrals draft


in section 5 (client referrals) it mentions checking if the canonical
flag is set - see below:


   If the account is not present in the realm specified in the request
   and the "canonicalize" KDC option is set, the KDC will try to lookup
   the entire name, alice at MS.COM, using a name service. If this lookup
   is unsuccessful, it MUST return the error KDC_ERR_C_PRINCIPAL_UNKNOWN


I assume this check is to determine if the Kerberos client is Microsoft
Windows ? If so, I am aware of at least 2 Kerberos clients running on
UNIX or Linux which are able to send the canonical flag in a request, so
surely using this flag to determine if the client is Microsoft is not a
good idea ?


I look forward to any feedback on this ?





More information about the krbdev mailing list