[27209] in Kerberos
Problem with case insensitive user names in AD
daemon@ATHENA.MIT.EDU (Srinivas Cheruku)
Fri Jan 12 08:38:50 2007
Message-ID: <45A78F35.2000509@gmail.com>
Date: Fri, 12 Jan 2007 19:07:57 +0530
From: Srinivas Cheruku <srinivas.cheruku@gmail.com>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
We have an environment consisting of Win2k and Win2k3 servers and
workstations with Window XP SP2.
The users created in AD are with lower case user principal names. eg:
scheruku@XXX.COM
While logging to Win2k3 AD using winlogon from WinXP, I have used the
user name in mixed case eg: Scheruku in the WinLogon screen for
authenticating.
I have observed the following,
1. In the Windows Credential cache, the TGT is with the client principal
name as Scheruku@XXX.COM though the correct client name (UPN) is
scheruku@XXX.COM
2. I checked using ethereal and the AS-REQ, contains :
2.1 Canonicalization flag set.
2.2 client name: Scheruku (as given in logon screen)
3. AS-REP
3.1 client name: Scheruku (as given in logon screen)
I think the TGT should be with the client name as that of sAMAccountName
which is not the case.
Then I gave user name as Scheruku@csafe.local (instead of just Scheruku)
in the Winlogon screen and authenticated to Win2k3 AD.
I observed the following now :
1. In the Windows Credential cache, the TGT is with the client principal
name as scheruku@XXX.COM
2. I checked using ethereal and the AS-REQ, contains :
2.1 Canonicalization flag set.
2.2 client name: Scheruku (as given in logon screen)
3. AS-REP
3.1 client name: scheruku (same as that of sAMAccountName)
Thinking that there might be some issue with my Win2k3 AD, I tested the
same with Win2k AD. i.e. I have used the user name in mixed case eg:
Scheruku and authenticated using WinLogon screen.
I observed the following now :
1. In the Windows Credential cache, the TGT is with the client principal
name as scheruku@XXX.COM
2. I checked using ethereal and the AS-REQ, contains :
2.1 Canonicalization flag set.
2.2 client name: Scheruku (as given in logon screen)
3. AS-REP
3.1 client name: scheruku (same as that of sAMAccountName)
I don't understand the reason why Win2k3 AD is working differently when
compared with Win2k. Can anyone help me to resolve the problem with my
Win2k3 server?
Thanks,
Srini
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
