draft-swift-win2k-krb-referrals-00.txt   [plain text]

CAT Working Group                                              M. Swift 
Internet Draft                                                Microsoft 
Document: draft-swift-win2k-krb-referrals-00.txt           October 1999 
Category: Informational                                                 
           Generating KDC Referrals to locate Kerberos realms 
Status of this Memo 
   This document is an Internet-Draft and is in full conformance with 
   all provisions of Section 10 of RFC2026 [1].  
   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups. Note that 
   other groups may also distribute working documents as Internet-
   Drafts. Internet-Drafts are draft documents valid for a maximum of 
   six months and may be updated, replaced, or obsoleted by other 
   documents at any time. It is inappropriate to use Internet- Drafts 
   as reference material or to cite them other than as "work in 
   The list of current Internet-Drafts can be accessed at 

   The list of Internet-Draft Shadow Directories can be accessed at 
1. Abstract 
   The draft documents a new method for a Kerberos Key Distribution 
   Center (KDC) to respond to client requests for tickets as is used in 
   Microsoft's Windows 2000 implementation of Kerberos. The KDC will 
   handle requests for principals in other realms by returning either a 
   referral error or a cross-realm TGT to another realm on the referral 
2. Conventions used in this document 
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   this document are to be interpreted as described in RFC-2119 [2]. 
3. Introduction 
   The Kerberos TGS and AS protocols, as defined in RFC 1510 [3], 
   require that client software be able to parse principal names into a 
   realm and an account portion. However, if a site want to deploy a 
   Kerberos realm infrastructure separately from its DNS 
   infrastructure, Kerberos must be able to handle the case where the 
   client software does not know what realm contains a given service or 
   user principal name. In addition, the current protocol requires the 
   client to know the hierarchy of realms by explicitly asking for a 

Swift                  Category - Informational                      1 
                            KDC Referrals                October 1999 
   referral to a specific realm rather than letting the KDC pick the 
   next realm on the referral path. 
   To rectify these problems, this draft introduces three new kinds of 
   KDC referrals: 
   1. AS ticket referrals, in which the client doesnĘt know which realm 
     contains a user account. 
   2. TGS ticket referrals, in which the client doesnĘt know which realm 
     contains a server account. 
   3. Cross realm shortcut referrals, in which the KDC chooses the next 
     path on a referral chain 
4. Realm Organization Model 
   This draft assumes that the world of principals is arranged on 
   multiple levels: the realm, the enterprise, and the world. A KDC may 
   issue tickets for any principal in its realm or cross-realm tickets 
   for realms with which it has a direct trust relationship. The KDC 
   also has access to a trusted directory or name service that can 
   resolve any name from within its enterprise into a realm. This 
   trusted name service removes the need to use an untrusted DNS lookup 
   for name resolution. 
   For example, consider the following configuration, where lines 
   indicate trust relationships: 
                /        \ 
               /          \ 
   In this configuration, all users in the MS.COM enterprise could have 
   a principal name such as alice@ms.com, with the same realm portion. 
   In addition, servers at MS.COM should be able to have DNS host names 
   from any DNS domain independent of what Kerberos realm their 
   principal resides in. 
5. Principal Names 
5.1 Service Principal Names 
   The standard Kerberos model in RFC 1510 [3] gives each Kerberos 
   principal a single name. However, if a service is reachable by 
   several addresses, it may be useful for a principal to have multiple 
   names. Consider a service running on a multi-homed machine. Rather 
   than requiring a separate principal and password for each name it 
   exports, a single account with multiple names could be used. 
   Multiple names are also useful for services in that clients need not 
   perform DNS lookups to resolve a host name into a full DNS address. 
   Instead, the service may have a name for each of its supported host 
   names, including its IP address. Nonetheless, it is still convenient 
Swift                  Category - Informational                      2 
                            KDC Referrals                October 1999 
   for the service to not have to be aware of all these names. Thus a 
   new name may be added to DNS for a service by updating DNS and the 
   KDC database without having to notify the service. In addition, it 
   implies that these aliases are globally unique: they do not include 
   a specifier dictating what domain contains the principal. Thus, an 
   alias for a server is of the form "name/name/name" and may be 
   transmitted as any name type. 
5.2 Client Principal Names 
   Similarly, a client account may also have multiple principal names. 
   More useful, though, is a globally unique name that allows 
   unification of email and security principal names. For example, all 
   users at Microsoft may have a client principal name of the form 
   "joe@MS.COM" even though the principals are contained in multiple 
   realms. This global name is again an alias for the true client 
   principal name, which is indicates what realm contains the 
   principal. Thus, accounts "alice" in the realm ntdev.MS.COM and 
   "bob" in office.MS.COM may logon as "alice@MS.COM" and "bob@MS.COM". 
   This change requires a new client principal name type, as the AS-REQ 
   message only contains a single realm field, and the realm portion of 
   this name doesn't correspond to any realm security realm. Thus, the 
   entire name "alice@MS.COM" is transmitted in the client name field 
   of the AS-REQ message, with a name type of KRB-NT-ENTERPRISE-
        #define KRB-NT-ENTERPRISE-PRINCIPAL     10 
5.3 Name Canonicalization 
   In order to support name aliases, the Kerberos client must 
   explicitly request the name-canonicalization KDC option (bit 12) in 
   the ticket flags for the TGS-REQ. This option is an indicator to the 
   KDC that if it fails to find the name in the local database as a 
   normal principal name, it should try to look the name up as an alias 
   both locally and in a global directory. This flag indicates to the 
   KDC that the client is prepared to receive a reply with a different 
   client or server principal name than the request. Thus, the 
   KDCOptions types is redefined as: 
        KDCOptions ::=   BIT STRING { 
Swift                  Category - Informational                      3 
                            KDC Referrals                October 1999 
6. Client Referrals 
   The simplest form of ticket referral is for a user requesting a 
   ticket using an AS-REQ. In this case, the client machine will send 
   the AS request to a convenient realm, probably either the realm of 
   the client machine or the realm portion of the client name. In the 
   case of the name Alice@MS.COM, the client may optimistically choose 
   to send the request to MS.COM. The client will send the string 
   "alice@MS.COM" in the client principal name field using the KRB-NT-
   ENTERPRISE-PRINCIPAL name type. The KDC will try to lookup the name 
   in its local account database. If the account is present, it will 
   return a KDC reply structure with the appropriate ticket. If the 
   account is not present and the name-canonicalize option is 
   requested, it will try to lookup the entire name (Alice@MS.COM) in 
   the global directory. If this lookup is unsuccessful, it will return 
   the error KDC_ERR_C_PRINCIPAL_UNKNOWN. If the lookup is successful, 
   it will return an error KDC_ERR_WRONG_REALM (0x44) and in the error 
   message, the cname and crealm field will contain the client name and 
   the true realm of the client. If the KDC contains the account 
   locally, it will return a normal ticket. The client name and realm 
   portions of the ticket and KDC reply message will be the client's 
   true name in the realm, not the globally unique name. 
   If the client receives a KDC_ERR_WRONG_REALM error, it will issue a 
   new AS request to the realm specified by the crealm field of the 
   error message. 
7. Server Referrals 
   The server referral mechanism is a bit more complex than the client 
   referral mechanism. The primary problem is that the KDC must return 
   a referral ticket rather than an error message, so it must include 
   in the TGS response information about what realm contains the 
   service. This is done by returning information about the server name 
   in the pre-auth data field of the KDC reply. 
   If the KDC resolves the server principal name into a principal in 
   its realm, it may return a normal ticket. If the name-canonicalize 
   bit is not set, then the KDC should only look up the name as a 
   normal principal name. Otherwise, it should search all aliases as 
   well. The server principal name in both the ticket and the KDC reply 
   should be the true server principal name instead of one of the 
   aliases. This prevents the application server from needing to know 
   about all its aliases. 

Swift                  Category - Informational                      4 
                            KDC Referrals                October 1999 
   If the KDC doesnĘt find the principal locally but is able to 
   resolved it into a realm from the global directory, then it should 
   return a cross-realm ticket granting ticket to the next hop on the 
   trust path towards that realm. In this case, the KDC will return the 
   server realm as a PA data type. The data itself is an ASN.1 encoded 
   structure containing the server's realm, and if known, true 
   principal name. The preauthentication data type is KRB5-PADATA-
        #define KRB5-PADATA-SERVER-REFERRAL-INFO        20 
                referred-server-name[1]   KERB-PRINCIPAL-NAME OPTIONAL, 
                referred-server-realm[0]  KERB-REALM 
   The client may use the referred-server-name field to tell if it 
   already has a ticket to the server in its ticket cache. 
   The client can use this information to request a chain of cross-
   realm ticket granting tickets until it reaches this realm, and can 
   then expect to receive a valid service ticket. 
8. Cross Realm Routing 
   The current Kerberos protocol requires the client libraries to 
   explicitly request a cross-realm TGT for each pair of realms on a 
   referral chain. As a result, the client machines need to be aware of 
   the trust hierarchy and of any short-cut trusts (those that arenĘt 
   parent-child trusts). This requires a lot of configuration on the 
   client. Instead, the client should be able to request a TGT to the 
   target realm from each realm on the route. The KDC will determine 
   the best path for the client and return a cross-realm TGT. The 
   client software has to be aware that a request for a cross-realm TGT 
   may return a TGT for a realm different from the one requested. 
9. Security Considerations 
   The original Kerberos specification stated that the server principal 
   name in the KDC reply was the same as the server name in the 
   request. These protocol changes break that assumption, so the client 
   may be vulnerable to a denial of service attack by an attacker that 
   replays replies from previous requests. It can verify that the 
   request was one of its own by checking the client-address field or 
   authtime field, though, so the damage is limited. 
10. References 
   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
      9, RFC 2026, October 1996. 
Swift                  Category - Informational                      5 
                            KDC Referrals                October 1999 
   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
      Levels", BCP 14, RFC 2119, March 1997 
   3  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
      Service (V5)", RFC 1510, September 1993 
10. Author's Addresses 
   Michael Swift 
   One Microsoft Way 
   Redmond, Washington 
   Email: mikesw@microsoft.com 

Swift                  Category - Informational                      6 
                            KDC Referrals                October 1999 
Full Copyright Statement 
   Copyright (C) The Internet Society (1999).  All Rights Reserved. 
   This document and translations of it may be copied and furnished to 
   others, and derivative works that comment on or otherwise explain it 
   or assist in its implementation may be prepared, copied, published 
   and distributed, in whole or in part, without restriction of any 
   kind, provided that the above copyright notice and this paragraph 
   are included on all such copies and derivative works.  However, this   
   document itself may not be modified in any way, such as by removing   
   the copyright notice or references to the Internet Society or other   
   Internet organizations, except as needed for the purpose of 
   developing Internet standards in which case the procedures for 
   copyrights defined in the Internet Standards process must be 
   followed, or as required to translate it into languages other than 
   The limited permissions granted above are perpetual and will not be 
   revoked by the Internet Society or its successors or assigns. 
   This document and the information contained herein is provided on an 

Swift                  Category - Informational                      7