3.3.5.6.1 Client Principal Lookup

  • Article

This section is relevant only for KILE implementations that use Active Directory for the account database.

If the Name Type ([RFC4120] Section 6.2) is NT-PRINCIPAL, then the KDC SHOULD:

  1. If the realm field is not present in the request or is the DC's domain name, call GetUserLogonInfoByAttribute ([MS-ADTS] section 3.1.1.13.6) where:

    • SearchKey is set to the cname field of the request.

    • Attribute is set to the sAMAccountName attribute ([MS-ADA3] section 2.222).

  2. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned ([MS-ERREF] section 2.3.1), then if realm is not present or is the DC's domain name, call GetUserLogonInfoByAttribute where:

    • SearchKey is set to cname + "$".

    • Attribute is set to sAMAccountName.

  3. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then call GetUserLogonInfoByUPNOrAccountName ([MS-ADTS] section 3.1.1.13.7) where UPNOrName is set to:

    • If realm is present, cname@realm.

    • Otherwise, cname@DC's domain name.

  4. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned and:

    • If no preauthentication data was provided, then call IDL_DRSCrackNames ([MS-DRSR] section 4.1.4) where:

      • pmsgIn.dwFlags is set to GC and TR.

      • pmsgIn.formatOffered is set to DS_USER_PRINCIPAL_NAME_AND_ALTSECID ([MS-DRSR] section 4.1.4.1.2).

      • pmsgIn.cNames is set to 1.

      • pmsgIn.rpNames is set to:

        • If realm is present, cname@realm.

        • Otherwise, cname@DC's domain name.

    • If preauthentication data was provided, then call IDL_DRSCrackNames where:

      • pmsgIn.dwFlags is set to GC and TR.

      • pmsgIn.formatOffered is set to DS_USER_PRINCIPAL_NAME ([MS-DRSR] section 4.1.4.1.3).

      • pmsgIn.cNames is set to 1.

      • pmsgIn.rpNames is set to:

        • If realm is present, cname@realm.

        • Otherwise, cname@DC's domain name.

  5. If DS_NAME_ERROR_NOT_FOUND is returned ([MS-DRSR] section 4.1.4.1.8), then the KDC MUST return KDC_ERR_C_PRINCIPAL_UNKNOWN ([RFC4120] section 7.5.9).

If the Name Type is NT-ENTERPRISE, then the KDC SHOULD:

  1. Set local variable UPNClientName to the contents of cname before the @ character.

  2. Set local variable UPNDomainName to the contents of cname after the @ character.

  3. Call GetUserLogonInfoByUPNOrAccountName where UPNOrName is set to cname.

  4. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned and UPNDomainName is the same as the DC's domain name, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to UPNClientName.

    • Attribute is set to sAMAccountName.

  5. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned and UPNDomainName is the same as the DC's domain name, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to UPNClientName + "$".

    • Attribute is set to sAMAccountName.

  6. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned and:

    • If no preauthentication data was provided, then call IDL_DRSCrackNames where:

      • pmsgIn.dwFlags is set to GC and TR.

      • pmsgIn.formatOffered is set to DS_USER_PRINCIPAL_NAME_AND_ALTSECID.

      • pmsgIn.cNames is set to 1.

      • pmsgIn.rpNames is set to cname.

    • If preauthentication data was provided, then call IDL_DRSCrackNames where:

      • pmsgIn.dwFlags is set to GC and TR.

      • pmsgIn.formatOffered is set to DS_USER_PRINCIPAL_NAME.

      • pmsgIn.cNames is set to 1.

      • pmsgIn.rpNames is set to cname.

  7. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then the KDC MUST return KDC_ERR_C_PRINCIPAL_UNKNOWN.

    In all cases, if the call succeeds, the Active Directory account for the requested principal was found.