On 30/08/2009, at 2:38 AM, Greg Hudson wrote: > On Sat, 2009-08-29 at 11:01 -0400, Chris wrote: >> Are there any known scenarios where forcing canonicalization on the >> KDC >> would be bad? > > I'm not aware of any--in fact, I couldn't tell you with confidence why > our KDC is checking that flag for TGS requests without consultation > with > others. However, if you have old MIT Kerberos software on server > machines (in the sense of a Kerberos application server), you may run > into another problem:
In the TGS, the canonicalize flag is used only for determining whether to return referrals; in a normal service principal request, it has no bearing on the returned service name. The behaviour for the AS is slightly different in respect of service names, in order to handle some Windows interoperability issues. In respect of client names, the canonicalize flag permits a different client name to be returned. -- Luke ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
