Question about draft-ietf-krb-wg-kerberos-referrals

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Jan 3 08:00:14 EST 2008


The URL in my email (see below) was wrong. It should have been


-----Original Message-----
From: krbdev-bounces at [mailto:krbdev-bounces at] On Behalf
Of Tim Alsop
Sent: 03 January 2008 12:48
To: krbdev at
Subject: Question about draft-ietf-krb-wg-kerberos-referrals

I wondered if somebody could give me some advice on the referrals draft


in section 5 (client referrals) it mentions checking if the canonical
flag is set - see below:


   If the account is not present in the realm specified in the request
   and the "canonicalize" KDC option is set, the KDC will try to lookup
   the entire name, alice at MS.COM, using a name service. If this lookup
   is unsuccessful, it MUST return the error KDC_ERR_C_PRINCIPAL_UNKNOWN


I assume this check is to determine if the Kerberos client is Microsoft
Windows ? If so, I am aware of at least 2 Kerberos clients running on
UNIX or Linux which are able to send the canonical flag in a request, so
surely using this flag to determine if the client is Microsoft is not a
good idea ?


I look forward to any feedback on this ?





krbdev mailing list             krbdev at

More information about the krbdev mailing list