Hi Greg,
Many thanks for taking the time to answer my question.
The reason I ask is because we have a case where two different browsers set
different names in the "KerberosString" / server host field. One sets the
actual FQDN corresponding to the Host A record of the server. The other uses a
CNAME associated to the Host A record, the behavior seems quite random. If I
understand your email, the RFC 4120 does not specify what needs to be placed in
here (Host A, CNAME etc...), it is up to the browser editor to decide what is
placed into this field, right?
[cid:image001.png@01D3807F.2B376950]
Thanks,
William
-----Original Message-----
From: Greg Hudson [mailto:ghud...@mit.edu]
Sent: jeudi 28 décembre 2017 20:44
To: William HARDY <wha...@pictet.com>; 'kerberos@mit.edu' <kerberos@mit.edu>
Subject: Re: FW: Kerberos question/bug
On 12/28/2017 02:18 AM, William HARDY wrote:
> What is supposed to be in the TGS-REQ
> (Kerberos->tgs-req->req-body->sname->name-string->KerberosString: ? )
sname contains the server principal name. RFC 4120 describes the protocol in
detail.
> It seems that from the same machine (resolving on the same DNS servers), the
> contents of this field differs in a Wireshark capture depending on the
> application used event though the destination server is the same. What is
> supposed to be in "KerberosString" field ? What determines the content of
> this field ?
It is common for server principal names to have two components (two
KerberosStrings in the name-string sequence), where the first names the
application protocol and the second names the server host. So the first
component might be "host" (typically for ssh) or "ldap" or "HTTP", and the
second is the FQDN of the server host.
This message is not intended for persons who are citizens of, domiciled or
resident in, or entities registered in a country or a jurisdiction in which its
distribution, publication, provision or use would violate current laws and
regulations. <br> <br>The content of this message is confidential and can only
be read and/or used by its addressee. The Pictet Group is not liable for the
use, transmission or exploitation of the content of this message. Therefore,
any form of reproduction, copying, disclosure, modification and/or publication
of the content is under the sole liability of the addressee of this message,
and no liability whatsoever will be incurred by the Pictet Group. The addressee
of this document agrees to comply with the applicable laws and regulations in
the jurisdictions where they use the information reproduced in this
document.<br>If you have received this e-mail message in error, please destroy
it and delete it from your computer.<br>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
