Support for Windows Server 2003 referrals

Greg Hudson ghudson at MIT.EDU
Fri Feb 14 11:28:34 EST 2014

On 01/29/2014 01:13 PM, Nate Rosenblum wrote:
> Here's an AS-REQ & error response for a login for `nater at`,
> an enterprise principal name.

We asked Microsoft for clarification about this behavior, and the
engineer noted that the canonicalize flag is not set in the AS request:

>     Kerberos AS-REQ
>         KDC_REQ_BODY
>             KDCOptions: 00000010 (Renewable OK)
>             Client Name (Enterprise Name): nater at

We have logic to accept a canonicalized response if the client name is
an NT_ENTERPRISE principal, but not to set the canonicalize flag in the
request.  I think we will want to change that.  For the moment, can you
try setting the canonicalize flag by hand (with kinit -C or
krb5_get_init_creds_opt_set_canonicalize) and checking that you get a
WRONG_REALM response from Server 2003?

Our KDC treats the canonicalize flag as implicitly set if the client
name type is NT_ENTERPRISE.  I would speculate that Server 2008 does the
same, but that Server 2003 does not.

If I am right, then it's still kind of interesting that Server 2003
includes the referral realm in the PRINCIPAL_UNKNOWN error for a
non-canonicalize NT_ENTERPRISE AS-REQ, but it's probably not behavior we
want to react to.

More information about the krbdev mailing list