S4U2self and S4U2proxy don't honor Canonicalize option

Greg Hudson ghudson at mit.edu
Tue Mar 24 14:19:01 EDT 2015

On 03/24/2015 05:44 AM, Srinivas Cheruku wrote:
> I am sending S4U2self and S4U2proxy requests to MS AD (2003/2008/2012) and
> found that the client name in these tickets is not canonicalized even though
> KDC option Canonicalize is set.

> Any idea why MS AD is not canonicalizing the client name in these tickets? 

I can only speculate based on the documentation, but it seems that
client name canonicalization is an AS-REQ facility, while S4U requests
are specialized TGS-REQs.

For S4U2Self I believe you are supposed to identify the client principal
name using an AS-REQ as described in [MS-S4U] section before
making the S4U2Self TGS request.

For S4U2Proxy you present an evidence ticket which should already have a
canonicalized client name.

[MS-S4U] https://msdn.microsoft.com/en-us/library/cc246071.aspx

More information about the krbdev mailing list