Support for Windows Server 2003 referrals
Nate Rosenblum
nater at maginatics.com
Fri Feb 14 13:33:10 EST 2014
>
>
> Our KDC treats the canonicalize flag as implicitly set if the client
> name type is NT_ENTERPRISE. I would speculate that Server 2008 does the
> same, but that Server 2003 does not.
>
>
Oh, would that it were so. However, in my application I do set the
canonicalize bit; I regret that I muddied the waters by failing to do so
when reproducing with kinit. I've responded in the Microsoft with traces
that show that Server 2k3 does the wrong thing even when asked to
canonicalize.
> If I am right, then it's still kind of interesting that Server 2003
> includes the referral realm in the PRINCIPAL_UNKNOWN error for a
> non-canonicalize NT_ENTERPRISE AS-REQ, but it's probably not behavior we
> want to react to.
>
I would strongly prefer that the patch be merged; I think we have pretty
strong confidence that 2k3's behavior is not intentional and needs this
workaround, but am happy to wait for another iteration with our Microsoft
contact.
Best,
--nate
More information about the krbdev
mailing list