Is this TGS-REP legal now?
Weijun.Wang at sun.com
Thu Mar 18 03:43:20 EDT 2010
A customer sends me a pcap file containing this TGS-REQ/TGS-REP pair. You can see that the sname in the returned ticket is different from the one requested. IIRC, in the case of cross-realm authentication, it's the client's responsibility to request for the inter-realm TGT. I've also checked draft-ietf-krb-wg-kerberos-referrals-11, and it says this KDC side friendly "recommendation" should only be done when the client requests for the "canonicalize" KDC option.
Is this still true today? Or, does MS Active Directory really act this way?
Type: PA-TGS-REQ (1)
Value: 6E8204B3308204AFA003020105A10302010EA20703050000... AP-REQ
Server Name (Service and Instance): krbtgt/NAEDEV.ADDEV.CUSTOMER.DOMAIN
Server Name (Unknown): HTTP/www.exchaddev.customer.domain
Server Name (Service and Instance): krbtgt/ADDEV.CUSTOMER.DOMAIN
All parties Windows.
More information about the krbdev