Ensure cname precisely matches what was in request #407
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MaximeKjaer
commented
Oct 8, 2025
MaximeKjaer
changed the title
MaximeKjaer
force-pushed
the
cname-copy
branch
from
f61c048 to
cda9b28
Compare
MaximeKjaer
commented
Oct 21, 2025
Comment on lines
+122
to
+124
| [Obsolete( | ||
| "Using SamAccountName may cause non spec-compliant behavior. Use ClientName instead to set the client " + | ||
| "principal name that should be used in Kerberos responses in a spec-compliant manner.")] |
There was a problem hiding this comment.
I made this obsolete because you can achieve the same result via ClientName (and you have more control over the number of Name parts, and the Type of the principal name).
Also I wanted to ensure Kerberos.NET avoids using SamAccountName as much as possible, as it's the cause of non spec compliant behavior -- and that any usages are appropriately marked as dangerous / deprecated way of doing things.
But I think it's debatable if it really should be marked as deprecated. Happy to roll this back if you would rather keep it as-is.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's the problem?
The current handling of cname is not always spec-compliant. The spec requires the Kerberos server to essentially echo back cname and crealm to the client. However, in some scenarios, Kerberos.NET responds with a slightly different cname.
This is an issue for Kerberos clients that check that the cname in the response exactly matches what was in the request (such as MIT krb5, see code pointer).
The current handling of cname is only subtly wrong. It works in the most common scenario (let's call this scenario 1), where:
["username", "realm"]"realm"However, it does not work in this scenario (let's call this scenario 2):
["username"]"realm"This latter scenario can occur in practice. For instance, see the Wireshark trace below, where a Linux client got a referral TGT from an on-prem AD DS server. The cname only has one part.
Using this referral TGT gave
What's the solution?
Currently Kerberos.NET uses
crealmandcnamefrom the request toFindanIKerberosPrincipal, and then re-constructscnameandcrealmfields in the response from the found principal.However, this conversion from
cname/crealmtoIKerberosPrincipalisn't injective. In both scenarios 1 and 2, we can find the same client principal from thecnameandcrealmfields. When we convert that principal back tocnameandcrealm, we don't necessarily get the same values back.The solution is to copy cname and crealm from the request. This aligns with the spec, section 3.3.3 Generation of KRB_TGS_REP Message:
What issue is this related to, if any?
None.