RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

Martin Balao mbalao at redhat.com
Mon Mar 30 14:48:06 UTC 2020

Hi Max,

Thanks for having a look at this.

On 3/29/20 1:10 AM, Weijun Wang wrote:
>>  * Note: from a client side, sending an NT-ENTERPRISE cname means that
>> the cname can change in the response. Windows AD 2016, however, does not
>> change it unless 'canonicalize' flag is explicitly set in the request.
> Sounds quite reasonable to me. This means "You might find info associated with my other names, but please always call me by my original name".

Yes, correct. In fact, Windows AD seems not to change the cname when an
NT-ENTERPRISE cname is sent and 'canonicalize' is false. AS referrals
keep working in this case.

However, it's more of a suggestion: if any other KDC decides to change
an NT-ENTERPRISE cname even when 'canonicalize' was false in the
request, we will handle that and move on (this is a bit off RFC 6806 as
'canonicalize' should have been true when sending an NT-ENTERPRISE).
That's what we -and the MIT client- mean with "NT-ENTERPRISE" implies


More information about the security-dev mailing list