On Mon, 2015-02-16 at 01:01 +0000, Sreekanth Nadendla wrote: > Hello Andrew, Our product team finds that no explicit change to our documents > is needed. Below is the summary of explanation > covering the 3 scenarios we have been investigating. > > > 1.) When canonicalization is NOT asked for, the Cname in the KDC reply is > identical to the Cname that was sent in the request. This is exactly RFC > behavior, so MS-KILE doesn’t need to describe this separately. > > 2.) When canonicalization is asked for, the Cname in the KDC reply will be > the user account’s normalized SAM account name. > So this could result in mismatch of username between what is present in the > Kerberos ticket and the value specified in the Request. > > Section 6 from > http://tools.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-11 > describes this. > > 3.) The KDC always returns its proper realm name. This is not part of > the canonicalize flag. Per the RFC, realm names are case sensitive > and so sending a realm name with the case modified should result in > Kerberos rejecting the authentication outright since the realm name > provided is not known. Windows allows realm names to be case > insensitive which is why you can get away with this.
Where is the Windows behaviour note for this? Thanks, -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
