3.3.5.1.1 Server Principal Lookup

  • Article

This section is relevant only for KILE implementations that use Active Directory for the account database.

Note  Some of the data types in the following procedures are defined in [RFC4120] section 5.2.

If the Name Type ([RFC4120] section 6.2) is NT-PRINCIPAL, NT-SRV-HST, or NT-SRV-INST, then the KDC SHOULD:

  1. If the KerberosString[0] element of name-string of the PrincipalName is "krbtgt" and there are only two KerberosString elements in name-string, then call GetUserLogonInfoByAttribute
    ([MS-ADTS] section 3.1.1.13.6) where:

    • SearchKey is set to KerberosString[1].

    • Attribute is set to the sAMAccountName attribute ([MS-ADA3] section 2.222).

  2. Otherwise:

    1. Call GetUserLogonInfoByAttribute where:

      • SearchKey is set to KerberosString[0] + "/" + the concatenation of the remaining KerberosString elements in order.

      • Attribute is set to the userPrincipalName attribute ([MS-ADA3] section 2.349).

    2. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned ([MS-ERREF] section 2.3.1) and there is only one KerberosString element in name-string, then:

      1. Call GetUserLogonInfoByAttribute where:

        • SearchKey is set to KerberosString[0].

        • Attribute is set to sAMAccountName.

      2. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then call GetUserLogonInfoByAttribute where:

        • SearchKey is set to KerberosString[0] + "$".

        • Attribute is set to sAMAccountName.

  3. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then the KDC MUST return KDC_ERR_S_PRINCIPAL_UNKNOWN ([RFC4120] section 7.5.9).

    If the Name Type is NT-ENTERPRISE, then the KDC SHOULD:

  4. Set local variable UPNServerName to the contents of the sname field of the request before the @ character.

  5. If there is only one KerberosString element in name-string, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to KerberosString[0].

    • Attribute is set to the servicePrincipalName element.

  6. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to UPNServerName.

    • Attribute is set to sAMAccountName.

  7. If ERROR_SUCCESS is returned and the account has no SPNs registered, then the KDC MUST return KDC_ERR_S_PRINCIPAL_UNKNOWN.

  8. Or if STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then call GetUserLogonInfoByAttribute where:

    • SearchKey is set to UPNServerName + "$".

    • Attribute is set to sAMAccountName.

  9. If STATUS_NOT_FOUND or STATUS_NO_SUCH_USER is returned, then the KDC MUST return KDC_ERR_S_PRINCIPAL_UNKNOWN.

    In all cases, if the call succeeds, the Active Directory account for the requested principal was found.