3.3.5.1.1 Server Principal Lookup

This section is relevant only for KILE implementations that use Active Directory for the account database.

Note  Some of the data types in the following procedures are defined in [RFC4120] section 5.2.

If the Name Type ([RFC4120] section 6.2) is NT-PRINCIPAL, NT-SRV-HST, or NT-SRV-INST, then the KDC SHOULD:

  1. If the KerberosString[0] element of name-string of the PrincipalName is "krbtgt" and there are only two KerberosString elements in name-string, then call GetUserLogonInfoByAttribute
    ([MS-ADTS] section 3.1.1.13.6) where:

    • SearchKey is set to KerberosString[1].

    • Attribute is set to the sAMAccountName attribute ([MS-ADA3] section 2.222).

  2. Otherwise:

    1. Call GetUserLogonInfoByAttribute where:

      • SearchKey is set to KerberosString[0] + "/" + the concatenation of the remaining KerberosString elements in order.

      • Attribute is set to the userPrincipalName attribute ([MS-ADA3] section 2.349).

    2. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned ([MS-ERREF] section 2.3.1) and there is only one KerberosString element in name-string, then:

      1. Call GetUserLogonInfoByAttribute where:

        • SearchKey is set to KerberosString[0].

        • Attribute is set to sAMAccountName.

      2. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then call GetUserLogonInfoByAttribute where:

        • SearchKey is set to KerberosString[0] + "$".

        • Attribute is set to sAMAccountName.

  3. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then the KDC MUST return KDC_ERR_S_PRINCIPAL_UNKNOWN ([RFC4120] section 7.5.9).

    If the Name Type is NT-ENTERPRISE, then the KDC SHOULD:

  4. Set local variable UPNServerName to the contents of the sname field of the request before the @ character.

  5. If there is only one KerberosString element in name-string, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to KerberosString[0].

    • Attribute is set to the servicePrincipalName element.

  6. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to UPNServerName.

    • Attribute is set to sAMAccountName.

  7. If ERROR_SUCCESS is returned and the account has no SPNs registered, then the KDC MUST return KDC_ERR_S_PRINCIPAL_UNKNOWN.

  8. Or if STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to UPNServerName + "$".

    • Attribute is set to sAMAccountName.

  9. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then the KDC MUST return KDC_ERR_S_PRINCIPAL_UNKNOWN.

    In all cases, if the call succeeds, the Active Directory account for the requested principal was found.