Re: Microsoft PKINIT Question

Henry B. Hotz wrote:
> Is the Microsoft NT-PRINCIPAL-NAME attribute case sensitive?

The non-realm part is case insensitive, we ran into problems with
uses with mixed case principal especially since the salt is case sensitive.
Users would always use lower case and AD would accept this. But Java
assumed it could derive the salt from the principal and would fail.

Looking at AD many of the userPrincipalNames also have lowercase realm names,
but ServicePrincipalNames don't appear to have the @realm at all.

> I mean that question two ways:  1) Does a MS DC care (I'm guessing 
> not)?  2) Does Heimdal care (I'm guessing yes)?
> I'm particularly concerned that a smart card might have a lower case 
> realm name in it and work fine with a DC, but not work with a Heimdal 
> KDC that uses the conventional upper case realm name.  (Both brands of 
> KDC have the same nominal realm name.  Don't ask how this can happen in 
> real life, but it can.)
  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444