Hello Andrew, MS-KILE section “3.1.5.7 Internationalization and Case Sensitivity” in mentions that Name comparisons, whether for users or domains MUST NOT be case sensitive in MS-KILE. So a separate WBN is NOT needed.
Regards, Sreekanth Nadendla Microsoft Windows Open Specifications -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Sunday, February 15, 2015 9:15 PM To: Sreekanth Nadendla Cc: MSSolve Case Email; [email protected] Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets On Mon, 2015-02-16 at 01:01 +0000, Sreekanth Nadendla wrote: > Hello Andrew, Our product team finds that no explicit change to our > documents is needed. Below is the summary of explanation covering the 3 > scenarios we have been investigating. > > > 1.) When canonicalization is NOT asked for, the Cname in the KDC reply is > identical to the Cname that was sent in the request. This is exactly RFC > behavior, so MS-KILE doesn’t need to describe this separately. > > 2.) When canonicalization is asked for, the Cname in the KDC reply will be > the user account’s normalized SAM account name. > So this could result in mismatch of username between what is present in the > Kerberos ticket and the value specified in the Request. > > Section 6 from > http://tools.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-11 > describes this. > > 3.) The KDC always returns its proper realm name. This is not part of > the canonicalize flag. Per the RFC, realm names are case sensitive > and so sending a realm name with the case modified should result in > Kerberos rejecting the authentication outright since the realm name > provided is not known. Windows allows realm names to be case > insensitive which is why you can get away with this. Where is the Windows behaviour note for this? Thanks, -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
