S4U2self and S4U2proxy don't honor Canonicalize option
ghudson at mit.edu
Tue Mar 24 14:19:01 EDT 2015
On 03/24/2015 05:44 AM, Srinivas Cheruku wrote:
> I am sending S4U2self and S4U2proxy requests to MS AD (2003/2008/2012) and
> found that the client name in these tickets is not canonicalized even though
> KDC option Canonicalize is set.
> Any idea why MS AD is not canonicalizing the client name in these tickets?
I can only speculate based on the documentation, but it seems that
client name canonicalization is an AS-REQ facility, while S4U requests
are specialized TGS-REQs.
For S4U2Self I believe you are supposed to identify the client principal
name using an AS-REQ as described in [MS-S4U] section 188.8.131.52.1.1 before
making the S4U2Self TGS request.
For S4U2Proxy you present an evidence ticket which should already have a
canonicalized client name.
More information about the krbdev