RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

Weijun Wang weijun.wang at oracle.com
Sun Mar 29 04:10:47 UTC 2020

The change looks good to me.

> On Mar 29, 2020, at 8:12 AM, Martin Balao <mbalao at redhat.com> wrote:
> * http://cr.openjdk.java.net/~mbalao/webrevs/8239385/8239385.webrev.00/
> ...

>  * Note: from a client side, sending an NT-ENTERPRISE cname means that
> the cname can change in the response. Windows AD 2016, however, does not
> change it unless 'canonicalize' flag is explicitly set in the request.

Sounds quite reasonable to me. This means "You might find info associated with my other names, but please always call me by my original name".


More information about the security-dev mailing list