S4U2self and S4U2proxy don't honor Canonicalize option
srinivas.cheruku at gmail.com
Thu Mar 26 08:34:09 EDT 2015
> Looks like there is no way to determine the canonicalized user
> principal name (in correct case) when getting S4U2self ticket. As the
> KDC that issues S4U2self ticket may not be same as the one where the
> user principal resides, it becomes tricky to send the actual principal
> name to the ticket issuing KDC. Maybe MS-PAC might contain the actual
> client principal name, but the MS-PAC generated by the user's KDC may
> not be read by S4U2self ticket issuing KDC. Any ideas?
I would suggest asking Microsoft (via dochelp at microsoft.com) if there is a
way to canonicalize the principal name during an S4U2Self request.
[Srinivas Cheruku] Will check with Microsoft. Thank you.
I'm actually a little surprised that they aren't canonicalizing during the
request, as PA-S4U-X509-USER contains a way to identify the user by
certificate without even specifying a principal name.
[Srinivas Cheruku] I haven't checked PA-S4U-X509-USER yet. I think when
using Smartcard logon certificate the Subject Alternate Name contains the
More information about the krbdev