Support for Windows Server 2003 referrals
ghudson at MIT.EDU
Fri Feb 14 11:28:34 EST 2014
On 01/29/2014 01:13 PM, Nate Rosenblum wrote:
> Here's an AS-REQ & error response for a login for `nater at maginatics.com`,
> an enterprise principal name.
We asked Microsoft for clarification about this behavior, and the
engineer noted that the canonicalize flag is not set in the AS request:
> Kerberos AS-REQ
> KDCOptions: 00000010 (Renewable OK)
> Client Name (Enterprise Name): nater at maginatics.com
We have logic to accept a canonicalized response if the client name is
an NT_ENTERPRISE principal, but not to set the canonicalize flag in the
request. I think we will want to change that. For the moment, can you
try setting the canonicalize flag by hand (with kinit -C or
krb5_get_init_creds_opt_set_canonicalize) and checking that you get a
WRONG_REALM response from Server 2003?
Our KDC treats the canonicalize flag as implicitly set if the client
name type is NT_ENTERPRISE. I would speculate that Server 2008 does the
same, but that Server 2003 does not.
If I am right, then it's still kind of interesting that Server 2003
includes the referral realm in the PRINCIPAL_UNKNOWN error for a
non-canonicalize NT_ENTERPRISE AS-REQ, but it's probably not behavior we
want to react to.
More information about the krbdev