Ensure cname precisely matches what was in request #407
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MaximeKjaer
commented
Oct 8, 2025
| { | ||
| if (request.ClientName == null) | ||
| { | ||
| throw new InvalidOperationException("Client name must be provided when IsolateRealmsConsistently is set"); |
There was a problem hiding this comment.
It's a little hacky to reuse IsolateRealmsConsistently, but adding a second flag maybe feels like overkill.
Also, if no client name is set, we could fall back to inferring it from the request.Principal -- just to maintain backwards compat. But falling back to cname inferred from request.Principal means the response might not be spec-compliant (cname could be different from what's in the request)
MaximeKjaer
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's the problem?
The current handling of cname is not always spec-compliant. The spec requires the Kerberos server to essentially echo back cname and crealm to the client. However, in some scenarios, Kerberos.NET responds with a slightly different cname.
This is an issue for Kerberos clients that check that the cname in the response exactly matches what was in the request (such as MIT krb5, see code pointer).
The current handling of cname is only subtly wrong. It works in the most common scenario (let's call this scenario 1), where:
["username", "realm"]"realm"However, it does not work in this scenario (let's call this scenario 2):
["username"]"realm"This latter scenario can occur in practice. For instance, see the Wireshark trace below, where a Linux client got a referral TGT from an on-prem AD DS server. The cname only has one part.
Using this referral TGT gave
What's the solution?
Currently Kerberos.NET uses
crealmandcnamefrom the request toFindanIKerberosPrincipal, and then re-constructscnameandcrealmfields in the response from the found principal.However, this conversion from
cname/crealmtoIKerberosPrincipalisn't injective. In both scenarios 1 and 2, we can find the same client principal from thecnameandcrealmfields. When we convert that principal back tocnameandcrealm, we don't necessarily get the same values back.The solution is to copy cname and crealm from the request. This aligns with the spec, section 3.3.3 Generation of KRB_TGS_REP Message:
What issue is this related to, if any?
None.