On Mon, Sep 26, 2016 at 7:09 PM, Greg Hudson <ghud...@mit.edu> wrote: > On 09/25/2016 04:32 PM, Isaac Boukris wrote: >> In such a case (no canonicalization), if the user is found, the KDC >> returns AS reply with the exact name and name-type (enterprise) as >> requested. > > Interesting. That's probably not a behavior we want; enterprise names > should ideally only exist on the edge of the krb5 protocol. I also > don't think that's the behavior we would see with an MIT krb5 KDC > (combined with a third-party KDB module that implements enterprise > principal name lookup).
I've now looked further into the constrained delegation case. Using enterprise name works fine with upn, but I see no canonicalization happening (even with the flag on, enterprise name-type is returned in TGS-REP). This can be seen when using the 'kvno' tool to do constrained delegation, as it always parses the 'for_user' as an enterprise name. >From MS-SFU doc it sounds like the KDC copies back the username and realm from the request (PA-FOR-USER). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
