Is this TGS-REP legal now?

Thu Mar 18 03:43:20 EDT 2010

Hi All

A customer sends me a pcap file containing this TGS-REQ/TGS-REP pair. You can see that the sname in the returned ticket is different from the one requested. IIRC, in the case of cross-realm authentication, it's the client's responsibility to request for the inter-realm TGT. I've also checked draft-ietf-krb-wg-kerberos-referrals-11, and it says this KDC side friendly "recommendation" should only be done when the client requests for the "canonicalize" KDC option.

Is this still true today? Or, does MS Active Directory really act this way?

Kerberos TGS-REQ
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
            Value: 6E8204B3308204AFA003020105A10302010EA20703050000... AP-REQ
                Ticket
                    Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
                    Server Name (Service and Instance): krbtgt/NAEDEV.ADDEV.CUSTOMER.DOMAIN
    KDC_REQ_BODY
        KDCOptions: 00000000
        Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
        Server Name (Unknown): HTTP/www.exchaddev.customer.domain

Kerberos TGS-REP
    Ticket
        Realm: NAEDEV.ADDEV.CUSTOMER.DOMAIN
        Server Name (Service and Instance): krbtgt/ADDEV.CUSTOMER.DOMAIN

All parties Windows.

Thanks
Max