From 649558c81688632d3631b69200d485c0a1e6fc60 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 2 Feb 2004 16:05:12 +0000 Subject: [PATCH] * Update README to describe the new PreserveInitialTicketIdentity registry key. ticket: 2139 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15996 dc483132-0cff-0310-8789-dd5450dbe970 --- src/windows/ChangeLog | 4 ++++ src/windows/README | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/src/windows/ChangeLog b/src/windows/ChangeLog index 6d67dfa33..1098a20c5 100644 --- a/src/windows/ChangeLog +++ b/src/windows/ChangeLog @@ -1,3 +1,7 @@ +2004-02-02 Jeffrey Altman + + * README: Document PreserveInitialTicketIdentity registry key + 2004-01-30 Jeffrey Altman * README: Update the text to include the details of the new diff --git a/src/windows/README b/src/windows/README index 50b6e40f2..96757e925 100644 --- a/src/windows/README +++ b/src/windows/README @@ -245,6 +245,43 @@ On Windows XP SP2 Beta 1 the key was specified as However, we anticipate that this will be changed to match the Server platforms in time for SP2 RC1. +It has been noted that the Microsoft Kerberos LSA does not provide enough +information within its KERB_EXTERNAL_TICKET structure to properly construct +the Client Principal simply by examining a single ticket. From the MSDN +Library: + + ClientName + KERB_EXTERNAL_NAME structure that contains the client name in the ticket. + This name is relative to the current domain. + + DomainName + UNICODE_STRING that contains the name of the domain that corresponds to + the ServiceName member. This is the domain that issued the ticket. + + TargetDomainName + UNICODE_STRING that contains the name of the domain in which the ticket is + valid. For an interdomain ticket, this is the destination domain. + + AltTargetDomainName + UNICODE_STRING that contains a synonym for the destination domain. Every + domain has two names: a DNS name and a NetBIOS name. If the name returned + in the ticket is different from the name used to request the ticket (the + Kerberos Key Distribution Center (KDC) may do name mapping), this string + contains the original name. + +Unfortunately, there is no field here which contains the domain of the client. +In order for the krb5_ccache to properly report the client principal name, the +client principal name is constructed by utilizing the ClientName and DomainName +fields of the Initial TGT associated with the Kerberos LSA credential cache. +To disable the use of the TGT info and instead simply use the "DomainName" field +of the current ticket define one of the following registry keys depending on +whether the change should be system global or just for the current user. + + HKLM\Software\MIT\Kerberos5\ + PreserveInitialTicketIdentity = 0x0 (DWORD) + + HKCU\Software\MIT\Kerberos5\ + PreserveInitialTicketIdentity = 0x0 (DWORD) GSSAPI Sample Client: --------------------- -- 2.26.2