[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: RE: S4U2self and S4U2proxy don't honor Canonicalize option
From: "Srinivas Cheruku" <srinivas.cheruku () gmail ! com>
Date: 2015-03-26 12:46:09
Message-ID: 001501d067c1$2ad0a410$8071ec30$ () gmail ! com
[Download RAW message or body]
> Looks like there is no way to determine the canonicalized user
> principal name (in correct case) when getting S4U2self ticket. As the
> KDC that issues S4U2self ticket may not be same as the one where the
> user principal resides, it becomes tricky to send the actual principal
> name to the ticket issuing KDC. Maybe MS-PAC might contain the actual
> client principal name, but the MS-PAC generated by the user's KDC may
> not be read by S4U2self ticket issuing KDC. Any ideas?
I would suggest asking Microsoft (via dochelp@microsoft.com) if there is a
way to canonicalize the principal name during an S4U2Self request.
[Srinivas Cheruku] Will check with Microsoft. Thank you.
I'm actually a little surprised that they aren't canonicalizing during the
request, as PA-S4U-X509-USER contains a way to identify the user by
certificate without even specifying a principal name.
[Srinivas Cheruku] I haven't checked PA-S4U-X509-USER yet. I think when
using Smartcard logon certificate the Subject Alternate Name contains the
UserPrincipalName.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic