S4U2self and S4U2proxy don't honor Canonicalize option

Srinivas Cheruku srinivas.cheruku at gmail.com
Thu Mar 26 08:34:09 EDT 2015

> Looks like there is no way to determine the canonicalized user 
> principal name (in correct case) when getting S4U2self ticket. As the 
> KDC that issues S4U2self ticket may not be same as the one where the 
> user principal resides, it becomes tricky to send the actual principal 
> name to the ticket issuing KDC. Maybe MS-PAC might contain the actual 
> client principal name, but the MS-PAC generated by the user's KDC may 
> not be read by S4U2self ticket issuing KDC.  Any ideas?

I would suggest asking Microsoft (via dochelp at microsoft.com) if there is a
way to canonicalize the principal name during an S4U2Self request.
[Srinivas Cheruku] Will check with Microsoft. Thank you.

I'm actually a little surprised that they aren't canonicalizing during the
request, as PA-S4U-X509-USER contains a way to identify the user by
certificate without even specifying a principal name.
[Srinivas Cheruku] I haven't checked PA-S4U-X509-USER yet. I think when
using Smartcard logon certificate the Subject Alternate Name contains the

More information about the krbdev mailing list