Problem with case insensitive user names in AD - Kerberos

This is a discussion on Problem with case insensitive user names in AD - Kerberos ; Hi, We have an environment consisting of Win2k and Win2k3 servers and workstations with Window XP SP2. The users created in AD are with lower case user principal names. eg: scheruku@XXX.COM While logging to Win2k3 AD using winlogon from WinXP, ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Problem with case insensitive user names in AD

  1. Problem with case insensitive user names in AD

    Hi,

    We have an environment consisting of Win2k and Win2k3 servers and
    workstations with Window XP SP2.
    The users created in AD are with lower case user principal names. eg:
    scheruku@XXX.COM

    While logging to Win2k3 AD using winlogon from WinXP, I have used the
    user name in mixed case eg: Scheruku in the WinLogon screen for
    authenticating.
    I have observed the following,
    1. In the Windows Credential cache, the TGT is with the client principal
    name as Scheruku@XXX.COM though the correct client name (UPN) is
    scheruku@XXX.COM
    2. I checked using ethereal and the AS-REQ, contains :
    2.1 Canonicalization flag set.
    2.2 client name: Scheruku (as given in logon screen)
    3. AS-REP
    3.1 client name: Scheruku (as given in logon screen)

    I think the TGT should be with the client name as that of sAMAccountName
    which is not the case.

    Then I gave user name as Scheruku@csafe.local (instead of just Scheruku)
    in the Winlogon screen and authenticated to Win2k3 AD.
    I observed the following now :
    1. In the Windows Credential cache, the TGT is with the client principal
    name as scheruku@XXX.COM
    2. I checked using ethereal and the AS-REQ, contains :
    2.1 Canonicalization flag set.
    2.2 client name: Scheruku (as given in logon screen)
    3. AS-REP
    3.1 client name: scheruku (same as that of sAMAccountName)



    Thinking that there might be some issue with my Win2k3 AD, I tested the
    same with Win2k AD. i.e. I have used the user name in mixed case eg:
    Scheruku and authenticated using WinLogon screen.
    I observed the following now :
    1. In the Windows Credential cache, the TGT is with the client principal
    name as scheruku@XXX.COM
    2. I checked using ethereal and the AS-REQ, contains :
    2.1 Canonicalization flag set.
    2.2 client name: Scheruku (as given in logon screen)
    3. AS-REP
    3.1 client name: scheruku (same as that of sAMAccountName)

    I don't understand the reason why Win2k3 AD is working differently when
    compared with Win2k. Can anyone help me to resolve the problem with my
    Win2k3 server?

    Thanks,
    Srini


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Problem with case insensitive user names in AD



    Srinivas Cheruku wrote:
    > Hi,
    >
    > We have an environment consisting of Win2k and Win2k3 servers and
    > workstations with Window XP SP2.
    > The users created in AD are with lower case user principal names. eg:
    > scheruku@XXX.COM


    We ran into a problem like this too. Account names in AD are case insensitive.
    Kerberos principals are case sensitive. So windows will accept any case
    and will return a ticket with some case. I think W2K3 is trying to
    do the best it can in this case :-).

    (Java had a problem with pre-auth and the salt with DES, as it assumed it
    know the principal with case and thus the salt. The salt is case sensitive.
    Java 1.6 fixed this.)

    Our solution, use lower case account names for users.

    This means you can not have two principal names in AD that differ
    only by case.

    >
    > While logging to Win2k3 AD using winlogon from WinXP, I have used the
    > user name in mixed case eg: Scheruku in the WinLogon screen for
    > authenticating.
    > I have observed the following,
    > 1. In the Windows Credential cache, the TGT is with the client principal
    > name as Scheruku@XXX.COM though the correct client name (UPN) is
    > scheruku@XXX.COM
    > 2. I checked using ethereal and the AS-REQ, contains :
    > 2.1 Canonicalization flag set.
    > 2.2 client name: Scheruku (as given in logon screen)
    > 3. AS-REP
    > 3.1 client name: Scheruku (as given in logon screen)
    >
    > I think the TGT should be with the client name as that of sAMAccountName
    > which is not the case.
    >
    > Then I gave user name as Scheruku@csafe.local (instead of just Scheruku)
    > in the Winlogon screen and authenticated to Win2k3 AD.
    > I observed the following now :
    > 1. In the Windows Credential cache, the TGT is with the client principal
    > name as scheruku@XXX.COM
    > 2. I checked using ethereal and the AS-REQ, contains :
    > 2.1 Canonicalization flag set.
    > 2.2 client name: Scheruku (as given in logon screen)
    > 3. AS-REP
    > 3.1 client name: scheruku (same as that of sAMAccountName)


    What is the UserPrincipalName ? I believe W2K3 should be
    trying to have the ticket match this even with case.

    >
    >
    >
    > Thinking that there might be some issue with my Win2k3 AD, I tested the
    > same with Win2k AD. i.e. I have used the user name in mixed case eg:
    > Scheruku and authenticated using WinLogon screen.
    > I observed the following now :
    > 1. In the Windows Credential cache, the TGT is with the client principal
    > name as scheruku@XXX.COM
    > 2. I checked using ethereal and the AS-REQ, contains :
    > 2.1 Canonicalization flag set.
    > 2.2 client name: Scheruku (as given in logon screen)
    > 3. AS-REP
    > 3.1 client name: scheruku (same as that of sAMAccountName)
    >
    > I don't understand the reason why Win2k3 AD is working differently when
    > compared with Win2k. Can anyone help me to resolve the problem with my
    > Win2k3 server?
    >
    > Thanks,
    > Srini
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. RE: Problem with case insensitive user names in AD

    Douglas, Srinivas,

    During my testing I have observed strange, inconsistent results, but
    similar to the findings of yourself and Srinivas. See below :

    I have found that you need to use the default enc type for user accounts
    (e.g. RC4-HMAC), e.g. you do not have the "Use DES" flag set in the
    account properties. If the "Use DES" flag is set, then some issues,
    which MS have decided not to fix (to encourage use of non-DES ciphers)
    become aparent related to case sensitivity of principal names.

    In my test environment I have a Windows Server 2003 SP1 system running a
    domain with Active Directory. All latest fixes are applied, by using
    Windows Update.

    In Windows logon screen, I enter account name USer@xxx.com. After logon,
    principal name of TGT in cache (displayed using kerbtray) = user@XXX.COM
    - This is correct because the principal name in the cache is based on
    the case of account, as it is defined in AD.

    In Windows logon screen, I enter account name USer, and select domain
    XXX.COM. After logon, principal name of TGT in cache (displayed using
    kerbtray) = USer@XXX.COM
    - This is NOT correct because the principal name in the cache is based
    on the case of the account name entered in logon screen, which might not
    be the same each time the user logs on.

    So, from the above, it looks like there is a bug in MS AD on Windows
    Server 2003 SP1, that occurs only when a UPN is not used during user
    logon to Windows.

    However, on a different server running Windows Server 2003 SP1, with all
    latest fixes applied, when I logon using UPN and non-UPN logon I get a
    principal name in the Microsoft cache based on the case of the user as
    defined in AD, and not in any way related to the case of user name
    entered during initial logon. Clearly this is not the same as on my
    other server, as I described above, but it is hard to know what the
    differences are since they were both built the same way.

    Also, if I found if I run the same tests described above using a Windows
    2000 DC that I have in my test environment, then both UPN and non-UPN
    account name logon methods work as I would expect. e.g. the principal
    name in cache after the logon is based on the case of account name in
    AD, not using the case of the user account name entered at initial
    Windows logon.

    I would be interested to hear if anybody else has experienced the same
    inconsistencies ?

    This is all possible because MS Windows is specifying the canonicalize
    flag in the Kerberos AS-REQ. This is recognised by AD and it allows a
    principal name with a case other than the one requested to be used when
    issuing the TGT. Some implementations of Kerberos do not set the
    canonicalize flag in AS-REQ, and therefore the above may not be observed
    if a non-Microsoft Kerberos library (e.g. MIT code or Java) is used to
    request the TGT. With these implementations the case of the principal in
    cache will be same as case of principal in AS-REQ.

    You mentioned in your reply that you "use lower case account names for
    users". This is fine, but what happens if a user enters any upper case
    characters for their account during Windows logon ? Do you still see the
    principal in Microsoft cred cache as @ or is it
    @ ? It would be useful if you can
    confirm this to see if you are getting same results as we are.

    Thanks,
    Tim


    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
    Behalf Of Douglas E. Engert
    Sent: 12 January 2007 16:42
    To: Srinivas Cheruku
    Cc: kerberos@mit.edu
    Subject: Re: Problem with case insensitive user names in AD



    Srinivas Cheruku wrote:
    > Hi,
    >
    > We have an environment consisting of Win2k and Win2k3 servers and
    > workstations with Window XP SP2.
    > The users created in AD are with lower case user principal names. eg:
    > scheruku@XXX.COM


    We ran into a problem like this too. Account names in AD are case
    insensitive.
    Kerberos principals are case sensitive. So windows will accept any case
    and will return a ticket with some case. I think W2K3 is trying to
    do the best it can in this case :-).

    (Java had a problem with pre-auth and the salt with DES, as it assumed
    it
    know the principal with case and thus the salt. The salt is case
    sensitive.
    Java 1.6 fixed this.)

    Our solution, use lower case account names for users.

    This means you can not have two principal names in AD that differ
    only by case.

    >
    > While logging to Win2k3 AD using winlogon from WinXP, I have used the
    > user name in mixed case eg: Scheruku in the WinLogon screen for
    > authenticating.
    > I have observed the following,
    > 1. In the Windows Credential cache, the TGT is with the client

    principal
    > name as Scheruku@XXX.COM though the correct client name (UPN) is
    > scheruku@XXX.COM
    > 2. I checked using ethereal and the AS-REQ, contains :
    > 2.1 Canonicalization flag set.
    > 2.2 client name: Scheruku (as given in logon screen)
    > 3. AS-REP
    > 3.1 client name: Scheruku (as given in logon screen)
    >
    > I think the TGT should be with the client name as that of

    sAMAccountName
    > which is not the case.
    >
    > Then I gave user name as Scheruku@csafe.local (instead of just

    Scheruku)
    > in the Winlogon screen and authenticated to Win2k3 AD.
    > I observed the following now :
    > 1. In the Windows Credential cache, the TGT is with the client

    principal
    > name as scheruku@XXX.COM
    > 2. I checked using ethereal and the AS-REQ, contains :
    > 2.1 Canonicalization flag set.
    > 2.2 client name: Scheruku (as given in logon screen)
    > 3. AS-REP
    > 3.1 client name: scheruku (same as that of sAMAccountName)


    What is the UserPrincipalName ? I believe W2K3 should be
    trying to have the ticket match this even with case.

    >
    >
    >
    > Thinking that there might be some issue with my Win2k3 AD, I tested

    the
    > same with Win2k AD. i.e. I have used the user name in mixed case eg:
    > Scheruku and authenticated using WinLogon screen.
    > I observed the following now :
    > 1. In the Windows Credential cache, the TGT is with the client

    principal
    > name as scheruku@XXX.COM
    > 2. I checked using ethereal and the AS-REQ, contains :
    > 2.1 Canonicalization flag set.
    > 2.2 client name: Scheruku (as given in logon screen)
    > 3. AS-REP
    > 3.1 client name: scheruku (same as that of sAMAccountName)
    >
    > I don't understand the reason why Win2k3 AD is working differently

    when
    > compared with Win2k. Can anyone help me to resolve the problem with my


    > Win2k3 server?
    >
    > Thanks,
    > Srini
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Problem with case insensitive user names in AD



    Tim Alsop wrote:
    > Douglas, Srinivas,
    >
    > During my testing I have observed strange, inconsistent results, but
    > similar to the findings of yourself and Srinivas. See below :
    >
    > I have found that you need to use the default enc type for user accounts
    > (e.g. RC4-HMAC), e.g. you do not have the "Use DES" flag set in the
    > account properties. If the "Use DES" flag is set, then some issues,
    > which MS have decided not to fix (to encourage use of non-DES ciphers)
    > become aparent related to case sensitivity of principal names.


    AFS is service still using DES. Are you referring to the way the DES salt
    is handled?

    >
    > In my test environment I have a Windows Server 2003 SP1 system running a
    > domain with Active Directory. All latest fixes are applied, by using
    > Windows Update.
    >
    > In Windows logon screen, I enter account name USer@xxx.com. After logon,
    > principal name of TGT in cache (displayed using kerbtray) = user@XXX.COM
    > - This is correct because the principal name in the cache is based on
    > the case of account, as it is defined in AD.
    >
    > In Windows logon screen, I enter account name USer, and select domain
    > XXX.COM. After logon, principal name of TGT in cache (displayed using
    > kerbtray) = USer@XXX.COM
    > - This is NOT correct because the principal name in the cache is based
    > on the case of the account name entered in logon screen, which might not
    > be the same each time the user logs on.


    Don't see this on XP Pro client to DC running W2k3 R2 SP1.
    Principal always comes back as lower case.

    >
    > So, from the above, it looks like there is a bug in MS AD on Windows
    > Server 2003 SP1, that occurs only when a UPN is not used during user
    > logon to Windows.
    >
    > However, on a different server running Windows Server 2003 SP1, with all
    > latest fixes applied, when I logon using UPN and non-UPN logon I get a
    > principal name in the Microsoft cache based on the case of the user as
    > defined in AD, and not in any way related to the case of user name
    > entered during initial logon. Clearly this is not the same as on my
    > other server, as I described above, but it is hard to know what the
    > differences are since they were both built the same way.


    Yes looks strange.

    >
    > Also, if I found if I run the same tests described above using a Windows
    > 2000 DC that I have in my test environment, then both UPN and non-UPN
    > account name logon methods work as I would expect. e.g. the principal
    > name in cache after the logon is based on the case of account name in
    > AD, not using the case of the user account name entered at initial
    > Windows logon.
    >
    > I would be interested to hear if anybody else has experienced the same
    > inconsistencies ?
    >
    > This is all possible because MS Windows is specifying the canonicalize
    > flag in the Kerberos AS-REQ. This is recognised by AD and it allows a
    > principal name with a case other than the one requested to be used when
    > issuing the TGT. Some implementations of Kerberos do not set the
    > canonicalize flag in AS-REQ, and therefore the above may not be observed
    > if a non-Microsoft Kerberos library (e.g. MIT code or Java) is used to
    > request the TGT. With these implementations the case of the principal in
    > cache will be same as case of principal in AS-REQ.
    >
    > You mentioned in your reply that you "use lower case account names for
    > users". This is fine, but what happens if a user enters any upper case
    > characters for their account during Windows logon ? Do you still see the
    > principal in Microsoft cred cache as @ or is it
    > @ ? It would be useful if you can
    > confirm this to see if you are getting same results as we are.


    kerbtray always shows lower case.



    >
    > Thanks,
    > Tim
    >
    >
    > -----Original Message-----
    > From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
    > Behalf Of Douglas E. Engert
    > Sent: 12 January 2007 16:42
    > To: Srinivas Cheruku
    > Cc: kerberos@mit.edu
    > Subject: Re: Problem with case insensitive user names in AD
    >
    >
    >
    > Srinivas Cheruku wrote:
    >> Hi,
    >>
    >> We have an environment consisting of Win2k and Win2k3 servers and
    >> workstations with Window XP SP2.
    >> The users created in AD are with lower case user principal names. eg:
    >> scheruku@XXX.COM

    >
    > We ran into a problem like this too. Account names in AD are case
    > insensitive.
    > Kerberos principals are case sensitive. So windows will accept any case
    > and will return a ticket with some case. I think W2K3 is trying to
    > do the best it can in this case :-).
    >
    > (Java had a problem with pre-auth and the salt with DES, as it assumed
    > it
    > know the principal with case and thus the salt. The salt is case
    > sensitive.
    > Java 1.6 fixed this.)
    >
    > Our solution, use lower case account names for users.
    >
    > This means you can not have two principal names in AD that differ
    > only by case.
    >
    >> While logging to Win2k3 AD using winlogon from WinXP, I have used the
    >> user name in mixed case eg: Scheruku in the WinLogon screen for
    >> authenticating.
    >> I have observed the following,
    >> 1. In the Windows Credential cache, the TGT is with the client

    > principal
    >> name as Scheruku@XXX.COM though the correct client name (UPN) is
    >> scheruku@XXX.COM
    >> 2. I checked using ethereal and the AS-REQ, contains :
    >> 2.1 Canonicalization flag set.
    >> 2.2 client name: Scheruku (as given in logon screen)
    >> 3. AS-REP
    >> 3.1 client name: Scheruku (as given in logon screen)
    >>
    >> I think the TGT should be with the client name as that of

    > sAMAccountName
    >> which is not the case.
    >>
    >> Then I gave user name as Scheruku@csafe.local (instead of just

    > Scheruku)
    >> in the Winlogon screen and authenticated to Win2k3 AD.
    >> I observed the following now :
    >> 1. In the Windows Credential cache, the TGT is with the client

    > principal
    >> name as scheruku@XXX.COM
    >> 2. I checked using ethereal and the AS-REQ, contains :
    >> 2.1 Canonicalization flag set.
    >> 2.2 client name: Scheruku (as given in logon screen)
    >> 3. AS-REP
    >> 3.1 client name: scheruku (same as that of sAMAccountName)

    >
    > What is the UserPrincipalName ? I believe W2K3 should be
    > trying to have the ticket match this even with case.
    >
    >>
    >>
    >> Thinking that there might be some issue with my Win2k3 AD, I tested

    > the
    >> same with Win2k AD. i.e. I have used the user name in mixed case eg:
    >> Scheruku and authenticated using WinLogon screen.
    >> I observed the following now :
    >> 1. In the Windows Credential cache, the TGT is with the client

    > principal
    >> name as scheruku@XXX.COM
    >> 2. I checked using ethereal and the AS-REQ, contains :
    >> 2.1 Canonicalization flag set.
    >> 2.2 client name: Scheruku (as given in logon screen)
    >> 3. AS-REP
    >> 3.1 client name: scheruku (same as that of sAMAccountName)
    >>
    >> I don't understand the reason why Win2k3 AD is working differently

    > when
    >> compared with Win2k. Can anyone help me to resolve the problem with my

    >
    >> Win2k3 server?
    >>
    >> Thanks,
    >> Srini
    >>
    >>
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>

    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread